We are contemplating moving the blog posts from this site to the new one. At least for the moment, the blog posts created before today (December 7, 2022) can now be found under the “Archived Blogs” link on the left side menu. The “Blogs” link in that same menu will take you to the new site.

We hope you enjoy the new blog site and would love to hear from you about what you think about it. As on this site, blog posts from the community will always be gratefully accepted!

Netavark and Aardvark-dns v1.3.0 release

We have cut new releases of the network stack components for netavark and aardvark-dns. Both netavark and aardvark-dns versions 1.3.0 were released. As the process works, the upstream releases will slowly work their way into Linux distributions.

A basic summary of changes for both are as follows:

v1.3.0 Netavark​

• Housekeeping and code cleanup
• macvlan: remove tmp interface when name already used in netns
• Add support for route metrics
• netlink: return better error if ipv6 is disabled
• macvlan: fix name collision on hostns
• Ignore dns-enabled for macvlan (BZ2137320)
• better errors on teardown
• allow customer dns servers for containers
• do not set route for internal-only networks
• do not use ipv6 autoconf

v1.3.0 Aardvark-dns​

• allow one or more dns servers in the aardvark config

Podman Posts of Interest

By Tom Sweeney GitHub​

A number of blog posts have flung by and I have not had a chance to get individual link posts to them, so thought I would add a few here that have popped up recently, links after the break!.

• Mehdi Haghgoo - Manage containers on Fedora Linux with Podman Desktop - Learn about the opensource GUI application for managing containers on Linux, macOS, and Windows.
• Aditya Rajan and Giuseppe Scrivano - Use OCI containers to run WebAssembly workloads - Use crun to run Wasm/WASI workloads on Podman and Kubernetes.
• Scott McCarty - The ever-widening world of Wasm - Bringing WebAssembly and OCI containers together could enable us to run the same container image on any hardware or operating system we want—wherever it runs best, fastest, or cheapest.
• Erdem Yasar - RHEL 8.7 and 9.1 are focusing on Podman containers - Red Hat announced the beta release of its Red Hat Enterprise Linux (RHEL) versions 8.7 and 9.1.
• Mark Lameriks - Adding Podman to my VM with Minikube Part 1 - Mark looks at using the Podman driver as an alternative runtime to the Docker driver in an environment with Minikube.
• Mark Lameriks - Adding Podman to my VM with Minikube Part 2 - Mark looks at using the Podman driver as an alternative runtime to the Docker driver in an environment with Minikube.
• Jack Wallen - How to enable Podman sudo-less container management | #linux | #linuxsecurity - Jack shows you how to setup a secure rootless environment with Podman.
• Lokesh Mandvekar - How Podman packaging works on Linux - Get a deep dive into Podman packages for Debian and Ubuntu using Fedora Sources, OBS, and Debbuild.
• Srivalli Patchava - Podman vs Docker - Srivalli compare Podman vs Docker, the industry-standard container management tool for nearly a decade because these two systems have intrinsic distinctions yet are well-suited for collaboration.
• Pratham Patel - Understanding the Differences Between Podman and Docker - Pratham investigates the advantages one holds over the other.
• Cameron Pavey - Podman: The Rootless Docker Alternative - Cameron explores how Podman can be a rootless alternative to Docker.
• Trevor Bryant and [Samuel Walker]](https://www.redhat.com/en/authors/samuel-walker) - Enhancing application container security and compliance with Podman - A look into enhancing the security of OCI compliant containers by using Podman.
• Will Dinyes - MinIO, Podman, and Apple Silicon - Getting MinIO containers working on a Mac using Podman.
• Pradeesh Parameswaran - Build A Python Flask Application Container Using Podman —A Docker Alternative - Pradesh walks you through building a python flask application that runs as a container.
• Valentin Rothberg, Preethi Thomas, and Dan Walsh - [https://www.redhat.com/sysadmin/kubernetes-workloads-podman-systemd](How to run Kubernetes workloads in systemd with Podman) - Kubernetes YAML gives Podman a unified solution to declare container workloads across environments and simplify complexity for developers and sysadmins.
• Cedric Clyburn - Containers without Docker (podman, buildah, and skopeo) - Cedric shows how to work with containers using Podman, Buildah, and Skopeo.

Podman Windows Installer

By Tom Sweeney GitHub​

If you are looking into running Podman on Windows, Tom Sweeney's latest blog post on EnableSysadmin shows you how easy it is now. The Run Podman on Windows: How-to instructions runs you through the four steps that take five minutes to complete. After that is done, you can then run Podman from your favorite Windows terminal without first having to get into a Virtual Machine. As a bonus, there's a link to a walk through video tutorial included in the post.

Podman Posts of Interest

By Tom Sweeney GitHub​

A number of blog posts have flung by and I have not had a chance to get individual link posts to them, so thought I would add a few here that have popped up recently, links after the break!.

• Charlie Doern - How Podman can transfer container images without a registry - The new 'podman image scp' command makes it easy to transfer container images between users on the same system or network.
• Matt Heon - Podman 4.0's new network stack: What you need to know - Podman's new Netavark and Aardvark-based stack offers three main advantages over the existing CNI-based stack.
• Valentin Rothberg - How to run pods as systemd services with Podman - Extending traditional Linux system administration practices with the modern world of containers.
• Heyan Maurya - How to install Podman on Ubuntu 22.04 LTS Jammy Linux - Follow the steps in this tutorial to install the Podman container tool on Ubuntu 22.04 LTS Jammy JellyFish Linux.
• Dan Walsh - Container permission denied: How to diagnose this error - Learn what is causing a container permission eeror and how to work around the error properly!
• Brent Baude - 5 underused Podman features to try now - Simplify how you interact with containers by incorporating pods, init containers, additional image stores, system reset, and play kube into your work.
• Red Hat Developer - Podman basics: Resources for beginners and experts - This article offers resources both for developers getting started with Podman and for those seeking more advanced information.
• Jack Chang - Seal the Containerized ML Deal With Podman - A movie recommendation system using Podman.
• Lokesh Mandvekar - What Linux users and packagers need to know about Podman 4.0 on Fedora - New Podman features offer better support for containers and improved performance.
• Dan Walsh - 5 Podman features to try now - Improve how you use containers with these new Podman features: --latest, --replace, --all, --ignore, and --tz.

Podman, Buildah and Skopeo on Ubuntu 22.04 LTS

Ubuntu 22.04 LTS Beta is available for testing as of March 31st. This is the first LTS release with Podman, Buildah and Skopeo in the default repos, thanks to the amazing work of Reinhard Tartler and team.

The package versions available currently are: Podman 3.4, Buildah 1.23 and Skopeo 1.4.

There won't be any further updates to the Kubic repos as far as Podman, Buildah and Skopeo are concerned, so users are recommended to use the default repos on 22.04 LTS.

If you're currently using packages from the Kubic repos, it’s highly recommended to uninstall the Kubic packages prior to upgrading to 22.04 LTS.

Netavark and Aardvark-dns v1.0.2 release

The Podman development team has released new versions of both Netavark and Aardvark-dns. The releases mostly consist of updated dependency libraries and bugfixes. Additionally, netavark is now capable of having a statically addressed macvlan without a gateway address. New packages for Fedora 36 and the Podman4 COPR are being built and should be available shortly.

Podman v4.0.2 is available in Homebrew

Homebrew, also known as brew, now has the Podman v4.0.2 available. Updating should be trivial but please make sure that Qemu is also upgraded alongside Podman. One cool feature that the community helped us deliver is the ability to mount volumes from MacOS into the virtual machine. We decided to backport some code to make it available to users more quickly. As such, it is possible if not likely that there will be more changes around volume mounts in subsequent Podman releases (i.e. default mounts, technology used to make the mount).

Podman 4 is not in Fedora 35

Podman 4 will not officially ship in Fedora 35 because it has breaking changes from Podman 3. Fedora has well-founded policies that forbid updating a package in a Fedora release, like 35, that has breaking changes. This is true for most Linux distributions that are dependent on release versions.

However, the Podman team has set up a COPR (Cool Other Package Repo) so that you can still install Podman and its dependencies on Fedora 35. It is called rhcontainerbot/podman4. COPRs are not officially supported by Fedora or its infrastructure. The podman4 COPR also has builds for Fedora 36 and CentOS 9 stream. There are even Fedora 36 builds as well.

Using podman4 COPR​

Adding the podman4 COPR is very easy. Instructions for doing so can be found on the rhcontainerbot/podman4 project site. But for a quick start, it is simply:

    $ sudo dnf copr enable rhcontainerbot/podman4

Once that command completes, you can install Podman.

    $ sudo dnf install podman

Note: If you are upgrading an existing Podman 3 install and wish to run Podman 4's new network stack, be certain you that the aardvark and netavark packages are also installed (they are part of the same COPR). You will also need to then run podman system reset --force before running any new containers.

Testing Podman 4 with the new network stack

By Brent Baude GitHub​

Podman 4.0 will implement a new network stack instead of CNI plugins. There are two components to the new stack:

• Netavark performs interface setup, IP address/etc assignment, NAT, and port mapping.
• Aardvark-dns that replaces the previous DNS name custom plugin. Aardvark-dns is a DNS server that provides name resolution and forwarding for container networks.

Warning: Before testing Podman 4 and the new network stack, you will have to destroy all your current containers, images, and network. Consider exporting/saving any import containers or images.

If you have run Podman 3.x before upgrading to Podman 4, Podman will continue to use CNI plugins as it had before. There is a marker in Podman's local storage that indicates this. In order to begin using Podman 4, you need to destroy that marker with podman system reset. This will destroy the marker, all of the images, all of the networks, and all of the containers.

Setting up Podman 4 with netavark and aardvark-dns on Fedora​

If this is an upgrade to a current Podman install, destroy all current images, containers, and defined networks.

$ podman system reset --force

Ensure you have the DNF copr extension.

$ sudo dnf install 'dnf-command(copr)'

Add the podman4 test COPR to your system

$ sudo dnf copr enable rhcontainerbot/podman4

If you have never installed Podman, replace upgrade with install in the following command.

$ sudo dnf upgrade podman

If Podman was upgraded, you may have to install netavark explicitly. Otherwise, the Podman package will continue to use CNI.

$ sudo dnf install netavark aardvark-dns

If you find bugs, please report them to our github issues page.

Build Kubernetes pods with Podman play kube

The podman play kube command has docker compose features in it to make it easier to transition your compose workloads. Brent Baude explains how in the recent blog post on the Red Hat Enable Sysadmin site, https://www.redhat.com/sysadmin/podman-play-kube-updates.

How Podman runs on Macs and other container FAQs

Brent Baude clears up the confusion about Podman's machine architecture and other frequently asked questions in this recent blog post on the Red Hat Enable Sysadmin site, How Podman runs on Macs and other container FAQs.

Why can't I use sudo with rootless Podman?

So why can't I use sudo with rootless Podman? Matt Heon explains why and how you can safely work around the "need" if you have it in a recent blog post on the Red Hat Enable Sysadmin site, Why can't I use sudo with rootless Podman.

Working with container image manifest lists

By Chris Evich GitHub​

In this article, I will be using Podman, Buildah, and Skopeo container tools to produce an image that supports multiple architectures under a single "name".

Simply put, a manifest list is just a collection of images with some additional metadata. While in principle any set of images can be in a manifest list, the intended use is housing multi-platform and/or multi-arch images. Otherwise, manifest lists mostly look and feel like regular container images. You can pull, tag, and run them as you'd expect, with only a few exceptions.

Two and a half things will likely catch you off-guard:

• Pushing manifest lists to registries
• Removing manifest lists from local storage.
• The podman tag command is broken for manifest lists in v3.4, but works in Buildah v1.23.1.

Due to the way image-name references are internally processed, you should not use the usual podman push and podman rmi subcommands. THEY WILL NOT DO WHAT YOU EXPECT! Instead, you'll want to use podman manifest push --all <src> <dest> and podman manifest rm <name> (similarly for buildah). These will push/remove the manifest list itself instead of the contents. Similarly for tagging if you're on Podman v3.4, use the buildah tag command instead.

Great, so manifest lists sound awesome; I can pull, and run them. I can delete them with podman manifest rm, push with podman manifest push --all <src> <dest>, and tag with Buildah, but how can I create them?

Easy Mode​

The simplest way to create a multi-arch manifest list is by enabling emulation to support any non-native RUN instructions. This is done by installing the qemu-user-static package (or equivalent) for your distribution. Also ensure the related systemd-binfmt.service is enabled/started. Not all distributions support these, so skip to the next sections for details on other methods if required.

Assuming emulation is in place, let’s look at this example Containerfile:

FROM registry.access.redhat.com/ubi8:latest
RUN uname -a

Building a multi-arch manifest for this can be done with one build command. This is thanks to features of recent versions of Buildah (v1.23 and later) and Podman (v3.4 and later):

$ platarch=linux/amd64,linux/ppc64le,linux/arm64,linux/s390x
$ buildah build --jobs=4 --platform=$platarch --manifest shazam .

The key options used here are:

• --manifest - Add the resulting image into the named manifest list (shazam), creating it if it doesn't already exist.
• --platform - Accepts a comma-separated list of platform/architecture tuples (linux/amd64,linux/ppc64le,linux/arm64,linux/s390x).
• --jobs - Optional, causes the builds to execute in parallel using the specified number of threads (4). i.e., the build finishes much faster.

Note: Even this simple Containerfile and build command will produce quite a lot of output. Assuming it's successful, you may use the following command to examine the architectures:

$ skopeo inspect --raw containers-storage:localhost/shazam | \
      jq '.manifests[].platform.architecture'

Similarly, skopeo inspect can be used to examine manifest lists on registry servers - just swap containers-storage: with docker://. This is very useful for determining if a base image is a manifest list, and if it is, which architecture the images were built for. Querying metadata in this way doesn't require pulling down all the data, so it's quite fast.

Lastly and as mentioned at the beginning, pushing and removing manifest lists is special. You must use manifest push or manifest rm sub-commands. Otherwise, Podman will act on the contents rather than the manifest list itself. Then for push, you must specify both the source and destination. A somewhat contrived example might be:

$ buildah tag localhost/shazam quay.io/example/shazam
$ podman manifest rm localhost/shazam
$ podman manifest push --all quay.io/example/shazam docker://quay.io/example/shazam

If you don't specify both the source and push destination, you'll get an error message. In case you're wondering, the --all argument is required. This tells Podman to push the manifest list AND the contents, which is nearly always what you want to do. If you don’t use the --all option, only the native architecture will be sent without any warning or other indications.

Cheat Mode​

In the case of public automation services, where convenience and ease of maintenance are essential, there are a set of container images that will enable and configure qermu-user-static for you. These images must be run in --privileged mode but will make setting things up in the automation system very easy (docs). Once set up, the image-build method is precisely the same as the above section.

That said, this is not an endorsement, and you will need to perform your own due diligence. I only mention it in this article because if I don't, somebody is bound to bring it up. It's likely a fine setup for small, non-critical cases. But this will probably be a "no-go", where provenance and security are critical. So, if that applies to you, continue on to the next section.

Safe Mode​

In highly secure, locked-down, production environments using commercially supported distributions, additional safety is often paramount over the convenience of emulation. Additionally if the build is simply too complex, emulation-slow, or involves multiple incompatible platforms (i.e., Windows and Darwin) then it simply may not be practical.

In these cases, essentially you need to perform the builds separately, collect the images on one system, then combine them all into a manifest list as a separate step.

For example, let's assume that you've built the shazam image on several linux hosts, tagged each of them with their architecture name, and pushed them up to the quay.io/example/shazam repository. Combining them into a manifest list might look like this:

$ REPO=quay.io/example/shazam
$ podman manifest create $REPO:latest
$ for IMGTAG in amd64 s390x ppc64le arm64; do \
          podman manifest add $REPO:latest docker://$REPO:IMGTAG; \
      done
$ podman manifest push --all $REPO:latest docker://$REPO:latest

Note: For the manifest add sub-command, the target manifest list name comes first, then the image to add. In the above example, the command inside the loop will pull down the platform-tagged image (metadata) and add it into the new manifest list. There is no need for a separate pull operation, and Podman will automatically figure out the constituent architecture and platform information. If not, there are options to specify them manually during the manifest add operation. Lastly, in case of an accident, you'll find a manifest remove sub-command (same argument-order as manifest add).

Conclusion​

While countless additional details are available in the man pages, this basic knowledge should cover 90% of your needs. With these essential tricks in hand, producing your own multi-arch and/or multi-platform manifest lists is just a matter of practice (or some new bash scripts).

Please also remember to pay attention to the tooling versions, as several bugs and deficiencies are present in earlier editions. On that same note, if you do encounter any strange or unexpected behavior, please reach out to the upstream community for assistance.

Podman on Apple Silicon

By Brent Baude GitHub​

The Podman development team is happy to announce that Podman machine is now supported on Apple silicon hardware like the M1s.

The initial versions of Podman machine only supported Intel-based Apple machines. We could not support the Apple M1s because we needed some changes to occur in upstream projects that we depend on. Now that those things are fixed, we support Apple silicon hardware with Podman 3.4.

In the last two weeks, we were able to clear the final hurdles to support Podman machine on Apple Silicon. Many thanks to the QEMU maintainers and the maintainers of brew. And last but not least, the Fedora FCOS team which officially supports the aarch64 architecture now.

Podman on Macs Update

By Brent Baude GitHub​

The Podman team values the local development experience, and we think containers are a crucial part of that. We’ve been brainstorming, discussing, and testing solutions to bring a great Podman experience to Mac and Windows. We are constantly looking for ways to improve it. In particular, the latest release of Podman has support for Intel(as of Podman v3.4) Macs. We have been hearing good feedback for a few weeks now, but up until this point, we haven’t published a lot of documentation.

Recently, we have been getting an influx of questions about Podman and Podman desktop, specifically around Macs. Coincidentally, we have a really elegant solution which we’d like to introduce. In the recently released Podman-3.3.1, we now have support for Intel-based Macs. It is command-line driven and can be installed through brew (aka Homebrew).

User Experience on macOS​

The user-experience is quite simple:

1. Install brew (as it is described on their homepage)
2. Install podman from brew: brew install podman
3. Initialize a podman machine: podman machine init
4. Start the machine: podman machine start
5. Use podman as you normally would.

It is worth running podman machine --help to familiarize yourself with the other commands used to manage machines.

Please note that Podman machine is still under development. While we support port forwarding on Macs and Linux, we have not implemented a solution for file sharing and bind mounts. We are currently researching the various technologies to do so as we want to choose a performant approach.

Podman machine is currently only supported on Linux and Intel Macs. As for the new Macs that are based on Apple Silicon, we are now waiting for two things. First, we need some patches from upstream qemu to get merged and released. While we wait for the upstream patches, we are working on a possible work-around for qemu. If that is successful, we will re-enable the M1 support in Podman and get brew updated. The second is we need Fedora CoreOS aarch64 images to be indexed, which should be occurring very shortly. Podman 3.4, Oct-10-2021

User Experience on Windows​

We currently support the Windows platform with a remote client that can be downloaded from our GitHub releases page. That remote client requires a Linux server with Podman and its service running. We also have user reports that running Podman in WSL is quite tenable. Consider the WSL option if you do not have available Linux servers with Podman installed.

We intend to develop a desktop for the Mac and Windows experience for Podman. Early design work is under consideration. No timeline has been identified yet.

Questions?​

Remember, our development team can be found in our Matrix room which has been bridged to the #podman channel on libera IRC as well as our Discord server. You can also get in touch with us via our project page by opening issues, PR’s and discussions. We love to hear from people!

Podman is an open-source project. We are always looking for contributors to help us accelerate features into the Podman and container world.

Podman Posts of Interest

By Tom Sweeney GitHub​

A number of blog posts have flung by and I have not had a chance to get individual link posts to them, so thought I would add a few here that have popped up recently, links after the break!.

• Tony Kay - Running Podman Machine on the Mac M1 - Tony walks you through all the steps that you'll need in order to run Podman on a M1 Mac.
• Abhijeet Kasurde - Running Podman machine on macOS - Abhijeet also walks you through the steps of setting up qemu and Podman machine to run Podman on your Mac.
• Sumantro Mukherjee - Run a Linux virtual machine in Podman - Sumantro shows you how to use Podman machine to run Fedora CoreOS.
• https://github.com/bowmanjd - Install Docker on Windows (WSL) without Docker Desktop Jonathan shows you how to run Docker or Podman on Windows without Docker Desktop.

How to use Podman inside of a container

Do you want to know how to use Podman inside of a container? Dan Walsh and Urvashi Mohnani show you how to in a recent blog post on the Red Hat Enable Sysadmin site, How to use Podman inside of a container.

How to use Podman inside of Kubernetes

Do you want to know how to use Podman inside of Kubernetes? Urvashi Mohnani and Dan Walsh show you how to in a recent blog post on the Red Hat Enable Sysadmin site, How to use Podman inside of Kubernetes.

Hitesh Jethva posted a blog post on the Atlantic.Net site talking about How to Install and Use Podman on Ubuntu 20.04. In the post Hitesh walks through all the steps necessary from 'A' to 'Z' to get Podman up and running on Ubuntu 20.04 and how to do some initial Podman commands.

Podman Posts of Interest

By Tom Sweeney GitHub​

A number of blog posts have flung by and I have not had a chance to get individual link posts to them, so thought I would add a few here that have popped up recently, links after the break!.

• Ashley Cui - Exploring the new Podman secret command - Ashely strikes again with another great article. This time she's talking all about the new Podman secret command and how you can store sensitive information in your image, yet not have it be exposed without your container.
• cfillekes - Building and Publishing Multi-Arch Images and Image Manifests with Red Hat Buildah and Podman - Want to learn how to use the --platform flag in Podman and Buildah to build Multi-Arch images? Then this is the post for you!
• Dan Walsh - New container feature: Volatile overlay mounts - How to use volatile mounts in a container to increase performance and clean up unnecessary clutter.
• James Walker - What Is Podman and How Does It Differ from Docker? - James walks you through the differences between the two container tools.
• Dan Walsh - Using files and devices in Podman rootless containers - Dan talks about the k--group-add keep-groups feature and how it allows rootless containers to maintain the groups of its parent process.
• Sarthak Jain - How to automate Podman installation and deployment using Ansible - Sarthak shows you how to automate Podman with Ansible.
• Eduardo Medeiros - How to create container images with ansible-bender - Eduardo shows how to use Ansible Bender along with Podman and Buildah to build container images.
• Daniel Schier - Podman Networking - Part 2 - Daniel shows how the podman network command can be used for external and internal networks.
• Thomas Tuffin - Home automation: Running Home Assistant with Podman - An intro to the Home Assistant open source project, what it can do, and a basic setup using a container.

In this video, Kirill Shirinkin shows how he moved from Docker to Podman in a real docker-composed application.

Watch now.

Podman 3 and Docker Compose - How Does the Dockerless Compose Work?​

By Kirill Shirinkin GitHub​

One of the main Podman 3 features is the support of Docker Compose. You can take any of your existing docker-compose.yml and just use it with Podman.

In this video, Kirill Shirinkin shows how he moved from Docker to Podman in a real docker-composed application.

Watch now.

My latest blog post has just hit Enable Sysadmin. In the May the Fourth be with you via Podman post, I delve into running an Ascii movie featureing the first Star Wars Movie inside of a container run by Podman.

Enjoy and May the Fourth be with you!

By Tom Sweeney GitHub​

My latest blog post has just hit Enable Sysadmin. In the May the Fourth be with you via Podman post, I delve into running an Ascii movie featureing the first Star Wars Movie inside of a container run by Podman.

Enjoy and May the Fourth be with you!

Podman Posts of Interest

By Tom Sweeney GitHub​

A number of blog posts have flung by and I have not had a chance to get individual link posts to them, so thought I would add a few here that have popped up recently, links after the break!.

• Oracle-Base - Podman : Install Podman on Oracle Linux 8 (OL8) - A nice first look at Podman on Oracle Linux 8 from install to basic usage including rootless.
• Dave Meurer - How to replace Docker with Podman on a Mac - Dave shows you what you need to know about Podman on Mac.
• Mohit Goyal - Installing and Working with Podman as Container Engine - Walks you through the installation and basic usage of Podman.

Announcement: Support for Older Distros on Kubic Project/OBS

By Lokesh Mandvekar GitHub​

The Podman Community builds and supports packages for a wide variety of Linux distributions and operating systems. These builds are provided in the public Open Build Service hosted by openSUSE. These pre-built packages have made it easier for new users to test the latest-greatest versions of Podman and allow for using it on distributions that do not yet provide it in their main repositories.

As Podman matures, we are constantly looking for ways to focus on improvement to the project versus just maintenance. One area of focus is around trimming down the matrix of packages we build for different Linux distros. This is made easier by the fact that Podman is now supported natively in many major Linux distributions. For instance, Podman is in the main repositories in Ubuntu 20.10 and future versions. Also, Podman is going to be released with Debian 11.

With the launch of Podman 3.0, we will be trimming support for the latest builds of Podman for a number of older distributions. There are technical reasons that make it barely possible to support a modern container engine such as Podman on too old systems, where the kernel and certain core libraries may be too old.

Podman 3.0 will be the last major build on CentOS 7, Debian 10 and Ubuntu 18.04. After this release, we recommend users who need the latest versions of Podman to move to newer versions of their Linux distribution.

Easy Development Dependency Management With Podman and Tent

By Farhan Hasin Chowdhury GitHub​

Installing and managing development dependencies for various project is a chore and one thing that can improve your everyday workflow is the usage of containers.

Tent is a CLI tool for running development dependencies such as MySQL, Mongo, ElasticSearch etc inside pre-configured containers using simple one-liners.

Running containers can be accessed via their exposed ports and can be paired with any other application on your system.

Starting a service such as mysql is as simple as executing tent start mysql and you'll never have to look back at it.

But mysql is not the only available service. A list of all the available services can be found on: services.go

Tent is heavily inspired from tighten/takeout and is an experimental project. Hence, care should be taken if you're using it in a critical environment.

Dependencies​

• Linux
• Podman Installed
• Podman System Service Running

If you have Podman installed, you can start the system service as follows:

## starts the podman system service
systemctl --user start podman.socket

## enables the podman system service, so it doesn't close on every reboot
systemctl --user enable podman.socket

## stops the podman system service
systemctl --user stop podman.socket

## disables the podman system service, so it doesn't start on every reboot
systemctl --user disable podman.socket

Tent assumes that you're running the service in non-root mode, hence the --user argument is necessary in the above commands.

Installation​

Visit the tent release page and download the tent binary to your computer. Open up your terminal where you've donwloaded the file and execute following commands:

chmod +x ./tent

sudo mv ./tent /usr/local/bin

Now the tent command should be available everywhere in your system.

Build From Source​

If you're on a Fedora system, the following command should install the necessary development dependencies.

sudo dnf groupinstall "Development Tools" -y && sudo dnf install golang btrfs-progs-devel gpgme-devel device-mapper-devel -y

And on a Ubuntu system, the following command should install the necessary development dependencies.

sudo apt install build-essential golang-go libbtrfs-dev libgpgme-dev libdevmapper-dev -y

If you're on a different system you, may look for equivalent package on the respective package repositories.

Now build and install the application as follows:

git clone https://github.com/fhsinchy/tent.git ~/tent

cd ~/tent

make install

Usage​

The tent binary has following commands:

• tent start <service name> - starts a container for the given service
• tent stop <service name> - stops and removes a container for the given service
• tent list - lists all running containers

Most of the services in tent utilizes volumes for persisting data, so even if you stop a service, it's data will be persisted in a volume for later usage. These volumes can listed by executing podman volume ls and can be managed like any other podman volume.

Start a Service​

The generic syntax for the start command is as follows:

tent start <service name>

## starts mysql and prompts you where necessary
tent start mysql

## starts redis and mongo and prompts you where necessary
tent start redis mongo

Start Service with Default Configuration​

The --default flag for the start command can be used to skip all the prompts and start a service with default configuration

tent start <service name> --default

## starts mysql with the default configuration
tent start mysql --default

## starts redis and mongo with default configuration
tent start redis mongo --default

Stop a Service​

The generic syntax for the stop command is as follows:

tent stop <service name>

## stops mysql and removes the container
## prompts you if multiple containers are found
tent stop mysql

## stops all mysql containers and removes them
tent stop mysql --all

## stops redis and mongo then removes the containers.
## prompts you if multiple containers are found for any of the given services.
tent stop redis mongo

## stops all redis and mongo conainers and then removes them
tent stop redis mongo --all

Stop all Services​

The --all flag for the stop command can be used to stop and remove all running tent containers at once

tent stop --all

Running Multiple Versions​

Given all the services are running inside containers, you can spin up multiple versions of the same service as long as you're keeping the port different.

Run tent start mysql twice; the first time, use the --default flag, and the second time, put 5.7 as tag and 3307 as host port.

Now, if you run tent list, you'll see both services running at the same time.

+--------------+----------------+---------------+---------------+
| CONTAINER              | Image               | PORTS          |
+--------------+----------------+---------------+---------------+
| tent-mysql-5.7-3307    | docker.io/mysql:5.7 | 3307->3306/tcp |
| tent-mysql-latest-3306 | docker.io/mysql:5.7 | 3306->3306/tcp |
+--------------+----------------+---------------+---------------+

Container Management​

Containers started by tent are regular containers with some pre-set configurations. So you can use regular podman commands such as ls, inspect, logs etc on them. Although tent comes with a list command, using the podman commands will result in more informative results. The target of tent is to provide plug and play containers, not to become a full-fledged podman cli.

Contribution​

Tent is an open-source project and contributions are more than welcomed. If you're a Go programmer do take some time to go through the source-code, see if you can improve any part of the program, the maintainer will be more than happy to co-operate. And if you like the project, don't forget to leave a star and share with other fellow developers to show your appreciation.

From Docker Compose to Kubernetes with Podman

By Brent Baude GitHub​

If you want to know how to use Podman v3.0 to convert Docker Compose YAML to a format that Podman recognizes, Brent Baude explains the "how to" in a recent blog post on the Red Hat Enable Sysadmin site, From Docker Compose to Kubernetes with Podman. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

Podman Posts of Interest

By Tom Sweeney GitHub​

A number of blog posts have flung by and I have not had a chance to get individual link posts to them, so thought I would add a few here that have popped up recently, links after the break!.

• Paul Ferrill - Compare Docker vs. Podman for container management - Compares Docker and Podman and shows the difference in security between the two.
• Pietro Bertera - Painless services: implementing serverless with rootless Podman and systemd - Talks about creating a service using systemd and Podman.
• Jack Wallen - How to install Podman on Ubuntu - As the title suggests, Jack walks you through the Podman installation process on Ubuntu.
• Jack Wallen - Tutorial: Host a Local Podman Image Registry - Jack walks you through setting up a local container image registry using Podman.
• Baeldung - An Introduction to Podman - This is a nice walk through Podman for someone new to the tool.

Podman: Managing pods and containers in a local container runtime

By Brent Baude GitHub​

Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

Using Podman and Docker Compose

By Brent Baude GitHub​

One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

Podman API v1.0 and libpod.conf Removal Notice

By Tom Sweeney GitHub​

On August 1, 2020, the Podman team posted a Podman API v1.0 Deprecation and Removal notice. As noted in that document, the Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. The support for the varlink library was greatly reduced in the spring of 2020. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

This new Podman v2.0 RESTful API was released along with Podman v2.0 in June of 2020 and replaces the Podman API v1.0. As of that time the Podman API v1.0 for Podman was considered to be deprecated. The Podman team noted that the Podman v1.0 (varlink) API would be removed from the Podman project in a future release and that a one month notice would be sent to the community before the version of Podman without the v1.0 API was released. This note represents that notice.

The Podman API v1.0 was just recently removed from the upstream repository on GitHub as work has started on the next release of Podman, v3.0. Podman v3.0 is expected to be released on Fedora 33 in late January 2021 and then later next year in RHEL 8.4 and other distributions.

At the same time as the removal of the Podman v1.0 API, the libpod.conf file has also been removed and it too will no longer be included with Podman starting in Podman v3.0. The functionality of this file has been replaced by containers.conf. If there have been modifications made to the libpod.conf file in your environment, you should be able to make the same changes in containers.conf and they will be honored.

If you have any questions or concerns about this notification, please send a note to the Podman mailing list or create an issue on Podman’s GitHub repository.

Using Podman and systemd to manage container lifecycle

By Ed Haynes GitHub​

My background is in industrial automation, and in most cases, the edge devices in the factory are too underpowered to run Kubernetes as a method to manage the lifecycle of containers. The workloads have a very long lifecycle, and generally are "tied" to the edge device. There is a lot of value in containerizing applications on these edge devices, however, as it decouples the application dependencies from the OS and provides a level of isolation between applications. This demo will show how using Podman in conjunction with systemd provides an elegant solution for this sort of use case. In addition, this will be done as a "rootless" user - a key benefit of Podman that helps keep the device secure.

For my demo, I used a minimal Fedora33 install with Podman installed. To simplify my lifecycle (which in industrial can be 10+ years) I want to keep the base OS as minimal and clean as possible and keep all application dependencies in the containers. I will be creating a redis in-memory keystore database as my containerized application and use the "podman generate systemd" utility to generate the systemd unit file. This file lets systemd know what your policies are for your application - whether it should start at boot or restart when it fails. In my case I want my application available at boot and also want it to restart in case of failure. I enable and start the systemd service with the --user flag, again I don't want root access for security reasons on this device.

I provide a test script to test the redis container API. While I could have installed the redis-cli on my base Fedora33 OS to do this testing this would violate my desire to keep the base OS as minimal as possible. I pass values to the redis container's port via "nc" to set a key index of "frog" to 56. I then show via getting that index that the value is properly set. Now for the interesting part. I use pkill to kill the redis database and then show how systemd restarts the failed container. You can also reboot the OS and find your application running at startup.

To tidy things up I provide a cleanup script which stops the service and cleans up the container so you can start the demo from the top if you like.

To run this demo yourself (I've tested on Fedora33, Red Hat 8.3, and Ubuntu 20.10) ensure Podman and git are installed on your OS

Also remember this is all done as a standard user - no root!

git clone https://github.com/edhaynes/podman_systemd_usermode_demo.git

cd podman_systemd_usermode_demo

./launch_redis_container.sh

"launch_redis_container.sh" launches redis container, adds usermode systemd entry, enables and starts it. You will need to hit "q" to get out of the shown status.

You should see something like:

redis_server.service - Podman container-redis_ Loaded: loaded

 Active: active (running) since Wed 2020-12-09 09:22:40 EST; 1h 58min ago

Now that redis is running you can run the test script that sets a key value, retrieves it, and then kills the redis container. systemd will then restart the container and you can see all is working again. Do this with:

./test_redis_container.sh

Once you are done experimenting with it you can run the cleanup script to stop the systemd service, remove it and stop / remove the container.

./cleanup.sh

Hope you enjoyed this demo and any comments or suggestions please make them in the GitHub repository.

Podman Posts of Interest

By Tom Sweeney GitHub​

A number of blog posts have flung by and I have not had a chance to get individual link posts to them, so thought I would add a few here that have popped up recently, links after the break!.

• mkdev - (Video) Buildah, Dive, Skopeo: 3 Container Tools for building images on Kubernetes Cluster, with Gitlab CI - A video showing how these tools can be lightweight replacements for Docker.
• Scott McCarty - Updates to Container Tools in Red Hat Enterprise Linux 8.3 - Our own Scott McCarty previews the new container capabilities in Red Hat Enterprise Linux 8.3.
• Anais Urlichs - Docker Images Without Docker — A Practical Guide - Anais Talks about how the Docker Daemon runs as root, why that's a problem, and how Buildah and Podman avoids that.
• hostnextra.com site - Easy to Install Podman on Ubuntu 20.04 - Like the title says, how to easily install Podman on Ubuntu 20.04.
• Prakhar Sethi - Rootless containers with Podman: The basics - Prakhar introduces rootless containers with Podman.
• Damian Velazquez Cafaro - A Spotlight on Podman - Damian provides a nice overview on Podman.
• Cedric Clyburn - Transitioning from Docker to Podman - Cedric gives a nice overview of Podman and how you can transition to it from Docker.
• Hervé Beraud - Using Podman to run OpenStack OSLO.Messaging's Simulator- Hervé shows you how to run the simulator using Podman!

Container image short names in Podman

By Tom Sweeney GitHub​

Do you like you container names to be short, sweet and yet secure? Valentin Rothberg shows you how in a recent blog post on the Red Hat Enable Sysadmin site, Container image short names in Podman. This functionality is now available in the upstream version of Podman and is targeted for Podman v3.0.

The history of an API: GitLab Runner and Podman

By Tom Sweeney GitHub​

In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

Exploring Podman RESTful API using Python and Bash

By Jhon Honce GitHub​

In a recent blog post on the Red Hat Enable Sysadmin site, Exploring Podman RESTful API using Python and Bash, Jhon Honce nicely demonstrates the new Podman REST API using code examples in Python and shell commands. Additional notes are included in the code comments. The provided code was written to be clear vs. production quality.

Podman Community Meeting - October 6, 2020

By Tom Sweeney GitHub​

The first Podman Community Meeting is coming up at 11:00 a.m. Eastern on October 6th, 2020. We plan to hold the meeting on Bluejeans and will be holding them going forward on the first Tuesday of every month. All are welcome and it's free of charge! The agenda after the break and hope to see a lot of you there.

Podman Community Meeting Agenda Tuesday October 6, 2020 11:00 a.m. to 12:p.m. Eastern (UTC−04:00) Bluejeans: https://bluejeans.com/796412039 (If you have trouble connecting, please reach out in IRC libera.chat #podman)

Next Meeting: Tuesday November 3, 2020 11:00 a.m. Eastern (UTC-04:00)

DevConf US 2020 Containers Technologies Talk

By Tom Sweeney GitHub​

In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

Podman Security Issue

Today, we're releasing updates to fix CVE-2020-14370, a security issue in Podman. This is a medium-severity information disclosure vulnerability that affects containers created using Podman’s Varlink API or the Docker-compatible version of its REST API. If two or more containers are created using these APIs, and the first container had environment variables added to it when it was created, all subsequent containers created using the Varlink or Docker-compatible REST APIs will also have these environment variables added. This effect does not persist after restarting the Podman API service.

Podman v2.0.5 and higher contain a fix for the CVE. If you use either of these APIs, please update to Podman v2.0.5 or later. We will also be patching the long-term support v1.6.4 release used in RHEL and CentOS.

Podman Posts of Interest

By Brent Baude GitHub​

• Brian Smith - Rootless containers using Podman - Watch this two-part video series on understanding root inside and outside of containers and how user namespaces work.
• Jack Wallen - How to install Podman support in Cockpit - Learn how to add Cockpit support to manage images and containers.
• Dan Walsh - SELinux changes for KVM-separated (Kata) containers - Understanding SELinux types that improve security in container engines such as Podman and CRI-O.
• Brian Smith - Scanning containers for vulnerabilities with OpenSCAP and Podman - Containers are no more secure than physical machines. Find out how to scan yours for vulnerabilities.
• Brian Smith - (Video)Managing Containers in Podman with systemd Unit Files
• Mrivik - (asciinema)GIMP working on rootless Podman container

• Brian Smith - Rootless containers using Podman - Watch this two-part video series on understanding root inside and outside of containers and how user namespaces work.
• Jack Wallen - How to install Podman support in Cockpit - Learn how to add Cockpit support to manage images and containers.
• Dan Walsh - SELinux changes for KVM-separated (Kata) containers - Understanding SELinux types that improve security in container engines such as Podman and CRI-O.
• Brian Smith - Scanning containers for vulnerabilities with OpenSCAP and Podman - Containers are no more secure than physical machines. Find out how to scan yours for vulnerabilities.
• Brian Smith - (Video)Managing Containers in Podman with systemd Unit Files
• Mrivik - (asciinema)GIMP working on rootless Podman container

Podman remote clients for macOS and Windows

By Brent Baude GitHub​

In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

The podman play kube command now supports deployments

By Matthew Heon GitHub​

In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

Tick-tock. Does your container know what time it is?

By Tom Sweeney GitHub​

Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

Container video series: Rootless containers, process separation, and OpenSCAP

By Tom Sweeney GitHub​

Do you want to know more about Rootless containers, process separation, and OpenSCAP? If you're like many, a video is a better learning device than a blog post. Well you're in luck, Brian Smith just landed a blog post on the Red Hat Enable Sysadmin site Container video series: Rootless containers, process separation, and OpenSCAP with a number of blog posts on the subject, many featuring Podman.

Podman Troubleshooting Guide

By Tom Sweeney GitHub​

As a kid, I was fascinated by space flight. If I couldn't be a fireman like my father, I wanted to be an astronaut. Of course I had to have a Major Matt Mason figure so I could fly him around the house and then land him softly in a jury-rigged parachute in my wading pool. Then of course the whole Apollo 13 drama had me riveted, and when the movie came out years later, I fell in love with this line in the movie, "Let's work the problem people. Let's not make things worse by guessing." by Ed Harris who played Gene Kranz the "vested" flight director.

That's been a helpful creed for me and it's also helpful for the Podman world too. Many times the community spends a fair amount of effort answering issues and questions either in GitHub's issues or in the Podman Mailing List. That's really great, but sometimes the discussion finds that the problem is concerning an issue that is on the Podman Troubleshooting Guide. This page might be one of the least visited pages on the site, yet the most helpful, especially for people who are new to the Podman project.

The page contains a number of common issues and solutions for Podman. It can help people who are running into issues find out if the issue has been encountered before. Some of the more common ones are issues with mounts and selinux, rootless containers not being able to ping the host, rootless containers exiting with the user, and more. A lot of the items of the page are not really issues with the Podman software, but rather that required configuration steps for use cases were not completed. Along with the problem and typical error responses on this page, each one has a solution section that will walk you through the steps needed to correct the problem. As common problems are encountered along the way, the community is encouraged to add them to the troubleshooting page, keeping it a fresh source of information.

Hopefully this post will help users of Podman find and discover solutions to their problems more easily in the Podman Troubleshooting Guide. Just as importantly, it will act as a reminder for those in the community who are familiar with the page to consider adding problems and solutions that they may encounter. As we move forward, effective use of this page will help us prove Gene Kranz right in the Podman universe, "Failure is not an option".

Learning Red Hat's Podman (docker), Buildah, Skopeo and Quay.io

By Tom Sweeney GitHub​

Four engineers at IBM and Red Hat, JJ Asghar, Brian Tannous, Jason Dobies and Cedric Clyburn spent some time in a stream learning about Podman, Buildah, Skopeo from the ground up in this video blog post. Check out the video to get a great introduction to the tools.

Moving from docker-compose to Podman pods

By Tom Sweeney GitHub​

Nathan Lager just landed a blog post on the Red Hat Enable Sysadmin site Moving from docker-compose to Podman pods. In the post, Nathan talks about ins and outs of the migration process.

Podman Go bindings

By Lokesh Mandvekar GitHub and Parker VanRoy​

Introduction​

In the release of Podman 2.0, we removed the experimental tag from its recently introduced RESTful service. While it might be interesting to interact with a RESTFul server using curl, using a set of Go based bindings is probably a more direct route to a production ready application. Let’s take a look at how easily that can be accomplished.

If you haven't yet, install Go.

Be careful to double-check that the version of golang is new enough (i.e. go version), version 1.13.x or higher is supported. If needed, Go sources and binaries can be fetched from the official Go website.

The Podman Go bindings are a set of functions to allow developers to execute Podman operations from within their Go based application. The Go bindings connect to a Podman service which can run locally or on a remote machine. You can perform many operations including pulling and listing images, starting, stopping or inspecting containers. Currently, the Podman repository has bindings available for operations on images, containers, pods, networks and manifests among others. The bindings are available on the v2.0 branch in the upstream Podman repository. You can fetch the bindings for your application using Go modules:

$ cd $HOME
$ mkdir example && cd example
$ go mod init example.com
go: creating new go.mod: module example.com
$ go get github.com/containers/podman/v2@v2.0.4
go: downloading github.com/containers/podman/v2 v2.0.4
go get: github.com/containers/podman/v2@v2.0.4: parsing go.mod:
    module declares its path as: github.com/containers/libpod/v2
            but was required as: github.com/containers/podman/v2

This creates a new go.mod file in the current directory that looks as follows:

module example.com

go 1.14

require github.com/containers/libpod/v2 v2.0.4 // indirect

You can also try a demo application with the Go modules created already:

$ git clone https://github.com/containers/Demos
$ cd Demos/podman_go_bindings
$ ls
README.md  go.mod  go.sum  main.go

How do I use them​

In this tutorial, you will learn through basic examples how to:

0. Start the Podman system service
1. Connect to the Podman system service
2. Pull images
3. List images
4. Create and start a container from an image
5. List containers
6. Inspect the container
7. Stop the container
8. Debugging tips

Start the Podman system service ​

The recommended way to start Podman system service in production mode is via systemd socket-activation:

$ systemctl --user start podman.socket

There’s no timeout specified when starting the system service via socket-activation.

For purposes of this demo, we will start the service using the Podman command itself. If you prefer the system service to timeout after, say, 5000 seconds, you can run it like so:

$ podman system service -t 5000

Note that the 5000 seconds uptime is refreshed after every command is received. If you want the service to stay up until the machine is shutdown or the process is terminated, use 0 (zero) instead of 5000. For this demo, we will use no timeout:

# -t 0 implies no timeout, default timeout 5 seconds
$ podman system service -t 0

Open another terminal window and check if the Podman socket exists:

$ ls /run/user/${UID}/podman
podman.sock

If you’re running the system service as root, podman.sock will be found in /run/podman:

$ ls /run/podman
podman.sock

Connect to the Podman system service ​

First, you need to create a connection that connects to the system service. The critical piece of information for setting up a new connection is the endpoint. The endpoint comes in the form of an URI (method:/path/to/socket). For example, to connect to the local rootful socket the URI would be unix:/run/podman/podman.sock and for a rootless user it would be unix:$(XDG_RUNTIME_DIR)/podman/podman.sock, typically: unix:/run/user/${UID}/podman/podman.sock.

The following Go example snippet shows how to set up a connection for a rootless user.

package main

import (
        "context"
        "fmt"
        "os"

        "github.com/containers/libpod/v2/libpod/define"
        "github.com/containers/libpod/v2/pkg/bindings"
        "github.com/containers/libpod/v2/pkg/bindings/containers"
        "github.com/containers/libpod/v2/pkg/bindings/images"
        "github.com/containers/libpod/v2/pkg/domain/entities"
        "github.com/containers/libpod/v2/pkg/specgen"
)

func main() {
        fmt.Println("Welcome to the Podman Go bindings tutorial")

        // Get Podman socket location
        sock_dir := os.Getenv("XDG_RUNTIME_DIR")
        socket := "unix:" + sock_dir + "/podman/podman.sock"

        // Connect to Podman socket
        connText, err := bindings.NewConnection(context.Background(), socket)
        if err != nil {
                fmt.Println(err)
                os.Exit(1)
        }
}

The connText variable received from the NewConnection function is of type context.Context(). In subsequent uses of the bindings, you will use this context to direct the bindings to your connection. This can be seen in the examples below.

Pull an image ​

Next, we will pull a couple of images using the images.Pull() binding. This binding takes three arguments: - The context variable created by the bindings.NewConnection() call in the first example - The image name - Options for image pull

Append the following lines to your function:

        // Pull Busybox image (Sample 1)
        fmt.Println("Pulling Busybox image...")
        _, err = images.Pull(connText, "docker.io/busybox", entities.ImagePullOptions{})
        if err != nil {
                fmt.Println(err)
                os.Exit(1)
        }

        // Pull Fedora image (Sample 2)
        rawImage := "registry.fedoraproject.org/fedora:latest"
        fmt.Println("Pulling Fedora image...")
        _, err = images.Pull(connText, rawImage, entities.ImagePullOptions{})
        if err != nil {
                fmt.Println(err)
                os.Exit(1)
        }

Run it:

$ go run main.go
Welcome to the Podman Go bindings tutorial
Pulling Busybox image...
Pulling Fedora image...
$

The system service side should echo messages like so:

Trying to pull docker.io/busybox...
Getting image source signatures
Copying blob 61c5ed1cbdf8 [--------------------------------------] 0.0b / 0.0b
Copying config 018c9d7b79 done
Writing manifest to image destination
Storing signatures
Trying to pull registry.fedoraproject.org/fedora:latest...
Getting image source signatures
Copying blob dd9f43919ba0 [--------------------------------------] 0.0b / 0.0b
Copying config 00ff39a8bf done
Writing manifest to image destination
Storing signatures

List images ​

Next, we will pull an image using the images.List() binding. This binding takes three arguments:

• The context variable created earlier
• An optional bool 'all'
• An optional map of filters

Append the following lines to your function:

        // List images
        imageSummary, err := images.List(connText, nil, nil)
        if err != nil {
            fmt.Println(err)
            os.Exit(1)
        }
        var names []string
        for _, i := range imageSummary {
            names = append(names, i.RepoTags...)
        }
        fmt.Println("Listing images...")
        fmt.Println(names)

Run it:

$ go run main.go
Welcome to the Podman Go bindings tutorial
Pulling Busybox image...
Pulling Fedora image...
Listing images...
[docker.io/library/busybox:latest registry.fedoraproject.org/fedora:latest]
$

Create and Start a Container from an Image ​

To create the container spec, we use specgen.NewSpecGenerator() followed by calling containers.CreateWithSpec() to actually create a new container. specgen.NewSpecGenerator() takes 2 arguments: - name of the image - whether it's a rootfs

containers.CreateWithSpec() takes 2 arguments: - the context created earlier - the spec created by NewSpecGenerator

Next, the container is actually started using the containers.Start() binding. containers.Start() takes three arguments: - the context - the name or ID of the container created - an optional parameter for detach keys

After the container is started, it's a good idea to ensure the container is in a running state before you proceed with further operations. The containers.Wait() takes care of that. containers.Wait() takes three arguments: - the context - the name or ID of the container created - container state (running/paused/stopped)

Append the following lines to your function:

        // Container create
        s := specgen.NewSpecGenerator(rawImage, false)
        s.Terminal = true
        r, err := containers.CreateWithSpec(connText, s)
        if err != nil {
                fmt.Println(err)
                os.Exit(1)
        }

        // Container start
        fmt.Println("Starting Fedora container...")
        err = containers.Start(connText, r.ID, nil)
        if err != nil {
                fmt.Println(err)
                os.Exit(1)
        }

        running := define.ContainerStateRunning
        _, err = containers.Wait(connText, r.ID, &running)
        if err != nil {
                fmt.Println(err)
                os.Exit(1)
        }

Run it:

$ go run main.go
Welcome to the Podman Go bindings tutorial
Pulling image...
Starting Fedora container...
$

Check if the container is running:

$ podman ps
CONTAINER ID  IMAGE                                     COMMAND    CREATED                 STATUS                     PORTS   NAMES
665831d31e90  registry.fedoraproject.org/fedora:latest  /bin/bash  Less than a second ago  Up Less than a second ago          dazzling_mclean
$

List Containers ​

Containers can be listed using the containers.List() binding. containers.List() takes seven arguments: - the context - output filters - boolean to show all containers, by default only running containers are listed - number of latest created containers, all states (running/paused/stopped) - boolean to print pod information - boolean to print rootfs size - boolean to print oci runtime and container state

Append the following lines to your function:

        // Container list
        var latestContainers = 1
        containerLatestList, err := containers.List(connText, nil, nil, &latestContainers, nil, nil, nil)
        if err != nil {
            fmt.Println(err)
            os.Exit(1)
        }
        fmt.Printf("Latest container is %s\n", containerLatestList[0].Names[0])

Run it:

$ go run main.go
Welcome to the Podman Go bindings tutorial
Pulling Busybox image...
Pulling Fedora image...
Listing images...
[docker.io/library/busybox:latest registry.fedoraproject.org/fedora:latest]
Starting Fedora container...
Latest container is dazzling_mclean
$

Inspect Container ​

Containers can be inspected using the containers.Inspect() binding. containers.Inspect() takes 3 arguments: - context - image name or ID - optional boolean to check for container size

Append the following lines to your function:

        // Container inspect
        ctrData, err := containers.Inspect(connText, r.ID, nil)
        if err != nil {
                fmt.Println(err)
                os.Exit(1)
        }
        fmt.Printf("Container uses image %s\n", ctrData.ImageName)
        fmt.Printf("Container running status is %s\n", ctrData.State.Status)

Run it:

$ go run main.go
Welcome to the Podman Go bindings tutorial
Pulling Busybox image...
Pulling Fedora image...
Listing images...
[docker.io/library/busybox:latest registry.fedoraproject.org/fedora:latest]
Starting Fedora container...
Latest container is peaceful_noether
Fedora Container uses image registry.fedoraproject.org/fedora:latest
Fedora Container running status is running
$

Stop Container ​

A container can be stopped by the containers.Stop() binding. containers.Stop() takes 3 arguments: - context - image name or ID - optional timeout

Append the following lines to your function:

        // Container stop
        fmt.Println("Stopping the container...")
        err = containers.Stop(connText, r.ID, nil)
        if err != nil {
                fmt.Println(err)
                os.Exit(1)
        }
        ctrData, err = containers.Inspect(connText, r.ID, nil)
        if err != nil {
                fmt.Println(err)
                os.Exit(1)
        }
        fmt.Printf("Container running status is now %s\n", ctrData.State.Status)

Run it:

$ go run main.go
Welcome to the Podman Go bindings tutorial
Pulling Busybox image...
Pulling Fedora image...
Listing images...
[docker.io/library/busybox:latest registry.fedoraproject.org/fedora:latest]
Starting Fedora container...
Latest container is peaceful_noether
Fedora Container uses image registry.fedoraproject.org/fedora:latest
Fedora Container running status is running
Stopping Fedora container...
Container running status is now exited

Debugging tips ​

To debug in a development setup, you can start the Podman system service in debug mode like so:

$ podman --log-level=debug system service -t 0

The --log-level=debug echoes all the logged requests and is useful to trace the execution path at a finer granularity. A snippet of a sample run looks like:

INFO[0000] podman filtering at log level debug
DEBU[0000] Called service.PersistentPreRunE(podman --log-level=debug system service -t0)
DEBU[0000] Ignoring libpod.conf EventsLogger setting "/home/lsm5/.config/containers/containers.conf". Use "journald" if you want to change this setting and remove libpod.conf files.
DEBU[0000] Reading configuration file "/usr/share/containers/containers.conf"
DEBU[0000] Merged system config "/usr/share/containers/containers.conf": {Editors note: the remainder of this line was removed due to Jekyll formatting errors.}
DEBU[0000] Using conmon: "/usr/bin/conmon"
DEBU[0000] Initializing boltdb state at /home/lsm5/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Overriding run root "/run/user/1000/containers" with "/run/user/1000" from database
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /home/lsm5/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1000
DEBU[0000] Using static dir /home/lsm5/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0000] Using volume path /home/lsm5/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] Not configuring container store
DEBU[0000] Initializing event backend file
DEBU[0000] using runtime "/usr/bin/runc"
DEBU[0000] using runtime "/usr/bin/crun"
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] using runtime "/usr/bin/crun"
INFO[0000] Setting parallel job count to 25
INFO[0000] podman filtering at log level debug
DEBU[0000] Called service.PersistentPreRunE(podman --log-level=debug system service -t0)
DEBU[0000] Ignoring libpod.conf EventsLogger setting "/home/lsm5/.config/containers/containers.conf". Use "journald" if you want to change this setting and remove libpod.conf files.
DEBU[0000] Reading configuration file "/usr/share/containers/containers.conf"

If the Podman system service has been started via systemd socket activation, you can view the logs using journalctl. The logs after a sample run look like so:

$ journalctl --user --no-pager -u podman.socket
-- Reboot --
Jul 22 13:50:40 nagato.nanadai.me systemd[1048]: Listening on Podman API Socket.
$

$ journalctl --user --no-pager -u podman.service
Jul 22 13:50:53 nagato.nanadai.me systemd[1048]: Starting Podman API Service...
Jul 22 13:50:54 nagato.nanadai.me podman[1527]: time="2020-07-22T13:50:54-04:00" level=error msg="Error refreshing volume 38480630a8bdaa3e1a0ebd34c94038591b0d7ad994b37be5b4f2072bb6ef0879: error acquiring lock 0 for volume 38480630a8bdaa3e1a0ebd34c94038591b0d7ad994b37be5b4f2072bb6ef0879: file exists"
Jul 22 13:50:54 nagato.nanadai.me podman[1527]: time="2020-07-22T13:50:54-04:00" level=error msg="Error refreshing volume 47d410af4d762a0cc456a89e58f759937146fa3be32b5e95a698a1d4069f4024: error acquiring lock 0 for volume 47d410af4d762a0cc456a89e58f759937146fa3be32b5e95a698a1d4069f4024: file exists"
Jul 22 13:50:54 nagato.nanadai.me podman[1527]: time="2020-07-22T13:50:54-04:00" level=error msg="Error refreshing volume 86e73f082e344dad38c8792fb86b2017c4f133f2a8db87f239d1d28a78cf0868: error acquiring lock 0 for volume 86e73f082e344dad38c8792fb86b2017c4f133f2a8db87f239d1d28a78cf0868: file exists"
Jul 22 13:50:54 nagato.nanadai.me podman[1527]: time="2020-07-22T13:50:54-04:00" level=error msg="Error refreshing volume 9a16ea764be490a5563e384d9074ab0495e4d9119be380c664037d6cf1215631: error acquiring lock 0 for volume 9a16ea764be490a5563e384d9074ab0495e4d9119be380c664037d6cf1215631: file exists"
Jul 22 13:50:54 nagato.nanadai.me podman[1527]: time="2020-07-22T13:50:54-04:00" level=error msg="Error refreshing volume bfd6b2a97217f8655add13e0ad3f6b8e1c79bc1519b7a1e15361a107ccf57fc0: error acquiring lock 0 for volume bfd6b2a97217f8655add13e0ad3f6b8e1c79bc1519b7a1e15361a107ccf57fc0: file exists"
Jul 22 13:50:54 nagato.nanadai.me podman[1527]: time="2020-07-22T13:50:54-04:00" level=error msg="Error refreshing volume f9b9f630982452ebcbed24bd229b142fbeecd5d4c85791fca440b21d56fef563: error acquiring lock 0 for volume f9b9f630982452ebcbed24bd229b142fbeecd5d4c85791fca440b21d56fef563: file exists"
Jul 22 13:50:54 nagato.nanadai.me podman[1527]: Trying to pull registry.fedoraproject.org/fedora:latest...
Jul 22 13:50:55 nagato.nanadai.me podman[1527]: Getting image source signatures
Jul 22 13:50:55 nagato.nanadai.me podman[1527]: Copying blob sha256:dd9f43919ba05f05d4f783c31e83e5e776c4f5d29dd72b9ec5056b9576c10053
Jul 22 13:50:55 nagato.nanadai.me podman[1527]: Copying config sha256:00ff39a8bf19f810a7e641f7eb3ddc47635913a19c4996debd91fafb6b379069
Jul 22 13:50:55 nagato.nanadai.me podman[1527]: Writing manifest to image destination
Jul 22 13:50:55 nagato.nanadai.me podman[1527]: Storing signatures
Jul 22 13:50:55 nagato.nanadai.me systemd[1048]: podman.service: unit configures an IP firewall, but not running as root.
Jul 22 13:50:55 nagato.nanadai.me systemd[1048]: (This warning is only shown for the first unit using IP firewalling.)
Jul 22 13:51:15 nagato.nanadai.me systemd[1048]: podman.service: Succeeded.
Jul 22 13:51:15 nagato.nanadai.me systemd[1048]: Finished Podman API Service.
Jul 22 13:51:15 nagato.nanadai.me systemd[1048]: podman.service: Consumed 1.339s CPU time.
$

Wrap Up​

Podman v2 provides a set of Go bindings to allow developers to integrate Podman functionality conveniently in their Go application. These Go bindings require the Podman system service to be running in the background and this can easily be achieved using systemd socket activation. Once set up, you are able to use a set of Go based bindings to create, maintain and monitor your container images, containers and pods in a way which fits very nicely in many production environments.

References​

• Podman v2 is available for most major distributions along with MacOS and Windows. Installation details are available on the Podman official website.

• Documentation can be found at the Podman Docs page. It also includes a section on the RESTful API.

Contribute​

• Any issues with the bindings can be reported upstream.
• Check out the Podman community page for more ways to get in touch with the community.

Acknowledgments​

• This blog post was co-authored by Parker Van Roy, currently interning at Red Hat for summer 2020.

• Thanks to Brent Baude for the initial blog post suggestion and reviews.

• Thanks to Tom Sweeney, Valentin Rothberg, Dan Walsh and the entire Podman team for their reviews and insightful comments.

Improved systemd integration with Podman 2.0

By Tom Sweeney GitHub​

Valentin Rothberg just landed a blog post on the Red Hat Enable Sysadmin site Improved systemd integration with Podman 2.0. In the post, Valentin talks about how systemd in Podman v2.0 is even more tightly integrated than it was in prior versions.

Podman API v1.0 Deprecation and Removal Notice

By Tom Sweeney GitHub​

The Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. About one year ago, the Podman team was notified that the focus on the varlink library was being greatly reduced and there would be no further development and little support for it from the varlink library team. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

This new Podman v2.0 RESTful API was released along with Podman v2.0 in June of 2020 and replaces the Podman API v1.0. As of that time the Podman API v1.0 for Podman is considered to be deprecated. If there are issues with the Podman API v1.0 in versions of Podman prior to v2.0 and those versions are still under support on Red Hat Enterprise Linux (RHEL), the Podman team will make a best effort to address those issues. However, no new feature requests for the API v1.0 will be considered and any problems found with the API v1.0 in Podman v2.0 will not be addressed.

The new Podman v2.0 RESTful API is split into two halves: one providing a Docker-compatible API, and a Libpod API providing support for Podman’s unique features such as pods. The new API works in both a rootful and a rootless environment. It is a much more flexible solution and Podman will not have a dependency on another project in order to supply an API. For more information on the Podman v2.0 RESTful API please see articles on the podman.io site and also the documentation for the Podman v2.0 RESTful API here.

Distributions have to support services for the length of their support agreements. The Podman development team wants to be free to update the version of Podman during this support cycle. Therefore, we are planning to drop support for Podman API v1.0 from distributions Red Hat is the packagers for. The version of Podman, 2.*, which is contained in Fedora 33, scheduled to be released around Oct 31, 2020, will ship with no varlink support. We also plan to drop support from the RHEL8.4 release, spring 2021. Other distributions like OpenSUSE have already disabled varlink support and we have heard that other distributions will follow suit.

This also serves as a notification that the Podman v1.0 (varlink) API will be removed from the main GitHub branch of Podman in the near future. With the release of Podman v2.0 the Podman developers deprecated the Podman API v1.0 in favor of the new Podman v2.0 RESTful API. The plan is to remove varlink completely from the Podman v3.0 development branch which will be created some time after September 2020. A 30 day notification of the final removal date will be posted on the podman.io site and also on the Podman mailing list, along with social media once it is definitively determined.

If you have any questions or concerns about this notification, please send a note to the Podman mailing list or create an issue on Podman’s GitHub repository.

Speed up container builds with overlay mounts

By Dan Walsh GitHub​

Dan Walsh has another blog post on the Red Hat Enable Sysadmin site this time he's writing on how to Speed up container builds with overlay mounts. In the article Dan walks you through speeding up builds for multiple distributions by sharing the host's metadata.

Exploring additional image stores in Podman

By Dan Walsh GitHub​

Dan Walsh has another blog post on the Red Hat Enable Sysadmin site this time he's writing about Exploring additional image stores in Podman. In the article Dan shows you how to store container images on shares, permitting the images to be accessed over the network.

Building images using Podman and cron

By Tom Sweeney GitHub​

Tom Sweeney has another blog post on the Red Hat Enable Sysadmin site this time he's writing about Building images using Podman and cron. In the article Tom talks about how necessity became the mother of invention and cron was put into use to build container images on a regular schedule.

The Podman repository has been renamed

By Matthew Heon GitHub​

The Podman repository on Github is moving from github.com/containers/libpod to github.com/containers/podman! Read on to find out why, and how it will affect you.

Three years ago, we created a new Git repository to hold our new container-management tool and the library it was based on. At the time, Podman was not named Podman, but kpod - a name no one on the team liked, and one we’d hoped to replace quickly. Given this, we decided to name the repository after the library we’d written to manage containers - libpod. Four months after that, we made the first public release of the tool, and with it came a new name - Podman (POD MANager). The rest is, as they say, history. The Podman team is incredibly grateful for the success we’ve seen since then, and the way that the community has grown.

With the release of Podman 2.0, we decided it was a good time to for the rename our repository to better match how it’s used today. We’ve decided to rename our Github repository from containers/libpod to containers/podman. The libpod name made sense when we first made the repository, but it hasn’t been the focus of development for some time. We’ve actually been considering moving the libpod library into a separate repository, to make it easier to include in our other tools (and it would be very confusing for containers/libpod to not include libpod!). Given this, and the fact that there are far more users of Podman the tool than libpod the library, renaming the repository makes a great deal of sense.

Finally, this rename helps make the repository more discoverable - it’s hard for a new Podman user to know that issues should be filed against containers/libpod since they probably don’t know what libpod is.

We don’t expect this move will break anyone’s workflow. Github will ensure that the old URLs redirect to the new location, so access to the repo itself, as well as our issues and pull requests, should be unaffected.

Podman REST API and Docker compatibility

By Matthew Heon GitHub​

Versioning the REST API​

Podman v2.0.0 launched recently, and with it the REST API. We’ve seen a great deal of excitement with this new API because of what it will enable - enabling applications and automation to use Podman when the could previously only use Docker. As you may know, Podman’s REST API is split into two halves: one providing a Docker-compatible API, and a Libpod API providing support for Podman’s unique features such as pods. We would love for all projects to eventually grow to support for our native Libpod API, but this will take time (and may be impossible for older, no longer maintained projects). As such, we need to talk about the Compatibility API and how it can be used.

When we developed the compatibility API layer, we targeted the latest released version of the Docker API, v1.40. Within this version, we aimed to implement all endpoints, with the exception of those used for Swarm(¹). Podman is not a tool for managing clusters, and does not intend to become one. We recognize that many existing tools do not target this specific Docker API version, and these are occasionally breaking changes in the Docker API that may make using the newest API impossible. The core Podman team cannot commit to being bug-for-bug compatible with every version of the Docker API. The Podman team commits to fixing bugs related to the latest version of Docker API. We may fix bugs with older versions that affect many users. As a community project, we gladly accept help here - if you find bugs that prevent Podman from working with a specific API version you use and are willing to fix them, we’re always happy to accept patches!

We’re very excited by the possibilities the new Podman API offers, and encourage everyone to try it out. Question and bug reports are always welcome at our Github page or our email list.

Podman v2.0 is here! Brent Baude talks about the major highlights of the new release, including the new RESTful API, remote client improvements, Auto-update functionality and systemd integration improvements. More details in the announcement post.

Announcing Podman v2

By Brent Baude GitHub​

If you have been following the upstream development of Podman, you have undoubtedly seen us refer to “2.0” or “Podman 2”. Today, we have made the first release of Podman 2 upstream. The release notes highlight many of the newest features but we wanted to call out some specific things in this blog and expand on them.

“Pay no attention to the man behind the curtain”​

Most of the changes to the new Podman should be transparent to end users. We did a significant amount of replumbing in our internals to allow for future enhancements and more closely align many of the code paths. There are some subtle changes to the outputs of some commands and fields within JSON formatted responses. They were largely done to create more consistency amongst our commands as well as driven by user feedback.

RESTful API​

The biggest change in Podman 2 is our introduction of a RESTful API to interact with our libraries. In actuality, the RESTful service was present in earlier versions but was tagged experimental. We have also deprecated the previous API implementation based on varlink. We will publish more specific blogs and tutorials on how to use the API but consider this a little introduction.

The API was designed to have two layers: libpod and compatibility. The libpod layer allows you to interact directly with the libpod libraries. The compatibility layer is designed to emulate the Docker RESTful API to assist in migration of tools, applications, and services long-term to libpod. This can be made clearer with an example. Consider inspecting a container called ‘foobar’ with each layer. The endpoint paths would differ depending on the layers.

/v1.24/containers/foobar   ← compatibility call
/v1.0/libpod/containers/foobar  ← libpod call

Furthermore, the results of each call will differ. The compatibility result will closely emulate the response from Docker.

Our preference is that people writing new code to interact with Podman should use the libpod layer only. This is a more sound long term strategy. But for people that need to migrate to Podman, the compatibility layer allows for a quick on-boarding. There are of course Docker endpoints we cannot or choose not to emulate due to incompatibities between Docker and Podman. Nevertheless, we have already seen some field success in migration of applications.

In keeping with Podman’s history the restful API will work in both rootless and rootful mode. If you run in rootful mode, the podman service will listen on /run/podman/podman.sock and rootless is $XDG_RUNTIME_DIR/podman/podman.sock (for example: /run/user/1000/podman/podman.sock). If you install the podman-docker package, the package will set up a link between run/docker/docker.sock and /run/podman/podman.sock.

Remote clients​

One of the consequences of our re-plumbing work is that our remote clients for Windows, Mac, and Linux are significantly smaller in size. The interface for the remote client connection has also changed to more of a URI format. As a matter of process, we attach a binary version of the remote clients to each release.

It is also worth noting that a ‘--remote’ flag has been added to the Podman binary to allow it to act as a remote client.

Auto-update​

The podman auto-update command allows for updating systemd-managed running containers when their images have been updated on the container registry. While it is still a tech preview in Podman v2.0, we added a number of improvements to better support authentication and to select the correct images on ARM. If you’re interested in auto updates, please check them out and let us know what you think.

systemd Integration Improvements​

A major improvement for Podman’s systemd support is that podman generate systemd now supports using the --new flag on pods. This allows for creating shareable systemd units not only for containers but also for pods. Additionally, we added a number of changes to make the systemd units more robust and reliable, such as cleanly starting after a system crash and clean shutdowns even when conmon has been killed. The names of generated files can further be altered with the new --container-prefix and --pod-prefix flags.

Conclusion​

This is a major new version of Podman with the goal to support all of your local container engine needs. We sincerely hope that the new features meet your needs. We continue to develop new content based on the API including new bits to the API itself. Before making too many more changes, we will let Podman “bake” for a while before the next radical functions are added.

We would love to hear your feedback and look forward to working with the community on giving Podman users and developers the best container experience. Remember upstream Podman development usually hangs out on #podman on Freenode and on the Podman mailing list.

The CI/CID tests have been re-enabled upstream and are run with each pull request submission. We are now hard at work finishing up some of the core podman-remote functions. Once those functions are complete, we can then begin to run our podman-remote system and integration tests to catch any regressions.

More details in the announcement post.

Update on Podman v2

By Brent Baude GitHub​

A few weeks ago, we made an announcement about the development of Podman V2. In the announcement, we mentioned that the state of upstream code would be jumbled for a while and that we would be temporarily disabling many of our CI/CD tests. The upstream development team has been hard at work, and we are starting to see that work pay off.

Today, we are very excited to announce:

The local Podman v2 client is complete. It is passing all of its rootful and rootless system and integration tests.

The CI/CID tests have been re-enabled upstream and are run with each pull request submission. We are now hard at work finishing up some of the core podman-remote functions. Once those functions are complete, we can then begin to run our podman-remote system and integration tests to catch any regressions.

We have re-enabled the autobuilds for Podman v2 in Fedora rawhide. As mentioned earlier, the Podman remote client is not complete, so that binary is temporarily being removed from the RPM. It will be re-added when the remote client is complete. As a corollary, the Windows and OS/X clients are also not being compiled or tested. This will occur once the remote client for Linux is complete.

We encourage you to pull the latest upstream Podman code and exercise it with your use cases to help us protect against regressions from Podman v1. We hope to make a full Podman v2.0 release in several weeks, once we are confident it is stable. We look forward to hearing what you think, and please do not hesitate to raise issues and comments on this in our GitHub repository, our Freenode IRC channel #podman, or to the Podman mailing list.

We’re very excited to bring Podman v2.0 to you as it offers a lot more flexibility through it’s new REST API interface and adds several enhancements to the existing commands. If your project builds on top of Podman, we would especially love to have you test this new version out so we can ensure complete compatibility with Podman v1.0 and address any issues found ASAP.

Note: This announcement was first released to the Podman mailing list. If you are not yet a member of that community, please join us by sending an email to podman-join@lists.podman.io with the word “subscribe” as the title.

Podman installation documentation in French​

Est-ce que tu parles français? Le mien est horrible. But if your abilities to read and speak French is better than mine, check out this website that I was just pointed to. Installation podman sur CentOS 8 by Bilal Kalem shows you how to install Podman on Centos 8. If nothing else, check out the graphic at the top of the page!

Podman v2 development update

By Brent Baude GitHub​

In the last few days, the Podman development team has been working to release Podman-1.9.0. This is likely to be the last Podman-1.X release before we transition to Podman v2.x. We have been working since November 2019 to make a significant overhaul of Podman’s architecture. And if we did our job correctly, most casual Podman users will not notice a difference. We will continue to investigate and fix issues in Podman-1.x versions but severity of the bug and priority will dictate our response.

What some users who follow upstream development may notice is that while we make the final push to a 2.x release, our GitHub repository will look drastically different. For some period of time, certain Podman commands, if built based on upstream, may not function exactly as expected nor even exist. We already know we will need to disable some of our CI testing framework as part of this final push until we have a more complete Podman v2.x. We will not release Podman 2.0 until we are satisfied that it is ready. While upstream development will be impacted by the announced migration to Podman v2.x, you can still open issues and contribute pull requests to the project.

As has been the standard with our project, we will remain transparent in our development activities and try to keep our community appraised of our progress. We are excited for some of the technical advancements that Podman v2.x will give our users. Subsequent blog posts will be written on those advancements and why they matter to our users.

Dockerless: Build and Run Containers with Podman and systemd​

By Kirill Shirinkin GitHub​

In this video, Kirill Shirinkin will show how to use Podman to build container images and run Java applications in containers with systemd.

We are going to learn why we should at least try alternatives to Docker, how container runtime landscape changed and how Podman is different and in certain ways better than Docker.

Watch now.

Managing Podman pods with pods-compose

By Balázs Németh GitHub​

Managing Podman pods with pods-compose makes your move to Podman easier. Balázs Németh already converted his docker-compose services to pods with Podman, however some features were missing, up until now. Let’s meet pods-compose.

Convert docker-compose services to pods with Podman

By Balázs Németh GitHub​

How to deploy pods with Podman when you only need a single-host system and not a complete Kubernetes. Check the blog post Convert your docker-compose services to pods with Podman by Balázs Németh to see how it can be done.

Pulling podman images from a container repository

By Tom Sweeney GitHub​

Tom Sweeney has another blog post on the Red Hat Enable Sysadmin site this time he's writing about Pulling podman images from a container repository. Learn the different varieties of pull that the podman build command can use to speed up or further secure your environment in this post.

What happens behind the scenes of a rootless Podman container?

By Dan Walsh GitHub​

Dan Walsh along with Matt Heon have a blog post on the Red Hat Enable Sysadmin site, What happens behind the scenes of a rootless Podman container?. If you ever wanted to know what happens under the covers of a rootless container, this is the article for you!

Building Container Images with Podman and Buildah

We were just pointed to this post Building Container Images with Podman and Buildah by Puja Abbassi on the Giant Swarm site. In the article Puja goes over how Podman and Buildah handle daemonless and rootless building processes. A tardy link on this site, but worth a read!

6 guides on making containers secure

By Dan Walsh GitHub​

Dan Walsh has another blog post on the Red Hat Enable Sysadmin site this time he's writing about 6 guides on making containers secure. It's a quick article with pointers to other blog posts showing how to secure your containers.

Deploy a Pod on CentOS with Podman

Jack Wallen has a blog post on the THENEWSTACK site with a great introduction on how to Deploy a Pod on CentOS with Podman. In the post, Jack talks about how Podman fits in the Red Hat ecosystem and then walks you through the fundamentals of creating and running a pod using Podman.

How to run Podman on Windows with WSL2

By Brent Baude GitHub​

Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time it's all about How to run Podman on Windows with WSL2. If you want to know how to run Podman on Windows 10, this article will show you how.

Blog posts from the Web

By Tom Sweeney GitHub​

Over the holiday break, a number of great posts were added to a number of sites that filled up my Twitter feed, so I thought I'd throw together a quick block with links to the highlights from the past month:

• Deploy PhotoPrism in CentOS 8(using Podman) - Lukas Zapletal
• Replacing Docker with Podman - first steps - Martijn de Jong
• Podman lands on Debian (Twitter Posting) - Scott McCarty
• Video: How to install Podman container engine on CentOS 8 - Tech Republic
• Building Container Images with Buildah and Ansible - Tomas Tomecek
• Video: How to deploy a pod with Podman - Jack Wallen
• Podman and Skopeo on macOS - Balazs Szeti
• How To Install Podman on Debian on 10 / 9 - Sabi
• How to run Docker Containers using Podman and Libpod - Sabi
• How to Install Podman on Arch Linux / Manjaro - Sabi

By Brent Baude GitHub​

If you follow the traffic on IRC (#podman on libera.chat) or GitHub from the developers of libpod, you might have seen us referencing a new API. We often referred to it as apiv2 and for about a month, there has been an 'apiv2' branch for libpod on GitHub. This week, we have begun to merge that branch but have yet to “wire it up.”

First and foremost, the Golang libpod API remains largely unchanged. What is changing is the API we expose for automation and remote usage. Our previous API was based on the varlink protocol. But we heard from users that varlink was a hurdle for libpod adoption especially for those who were using the Docker API and its bindings. They simply could not or did not want to rewrite their custom applications for libpod’s new, varlink-based API.

The new API is a simpler implementation based on HTTP/REST. We provide two basic groups of endpoints. The first one is for libpod; the second is for Docker compatibility, to ease adoption. The two endpoints are namespaced to keep them separate. Our goal with implementing a portion of the Docker API, is to be as compatible as possible; while similar calls in the libpod API might bring back additional libpod specific information.

While these two endpoints work similarly, there are important and somewhat nuanced differences. The Docker API endpoint is useful for existing automation tied to that API and potentially tools like docker-compose.

Example​

If you wanted a list of images with the libpod endpoint, you would use the following endpoint:

<endpoint_base_url>/libpod/images/json

And if you wanted a list of images but in docker-compatibility, you would use:

<endpoint_base_url>/images/json

In our proof of concepts, we have tested our endpoint with the docker-py project. There are of course subtle differences which we are still working on. And there are compatibility endpoints that we can not support like swarm which Podman does not support.

We are working on a set of Golang bindings for the libpod endpoints. Eventually these bindings will be used to rewire our remote client. The rewire begins after all the libpod endpoints are working and have tests. We plan on working with the upstream community on podman-python support for the new libpod API, enabling python developers fully support for using podman containers.

As for the existing varlink code, it has been in maintenance mode already. We will continue to address bugs but no new functionality will be developed. Once the new API is fully implemented, we plan to make a deprecation announcement.

We are hopeful these changes help our users and larger community. We hope that the new API helps encourage contributors to help us complete the API as well as write bindings. Look for more information in the near future including status updates as well as how-tos.

Bioinformatics with rootless podman

By Valentin Rothberg GitHub​

Over the last 10 years I've seen machines and workflows evolve where I work. From the initial dedicated server, to hpc environments and now the latest instance, containers.

From an admin point of view this is great - The initial servers had to be carefully built and maintained so that everything would work nicely together. Incompatible programs at that time were run through a VM until such time as they could be folded in to the mix.

The HPC's had versioned software and environment modules and were built to load the relevant dependencies at run time.

Now we are into a new era, containers - and not just any old containers, but containers that end users can build and run up fairly quickly to perform what-if's, and move on quickly through iterations until they perform the required functions.

Podman has developed very rapidly and is incredibly easy to use. You can use it in conjunction with quay.io or run it on a local machine.

I should add that Adrian Reber gave a talk and has also created a Podman article using openhpc; well worth a watch and a read.

If you don't have a RedHat Developer Subscription now is an ideal time to get one:

https://developers.redhat.com/articles/getting-red-hat-developer-subscription-what-rhel-users-need-know/

..and download RedHat Enterprise 8.1

Do a Standard RedHat GUI Server default install

yum update
yum module install container-tools

RedHat 8.1 does rootless containers right out of the box. If you created a user during the setup, it'll have the details in /etc/subuid and /etc/subgid already.

Log in with your userID and you can start creating a container

podman pull ubi8/ubi
podman run --interactive --tty ubi8/ubi bash

The first command pulls down the ubi8 Universal Base Image, which is a great building block. The second command starts an interactive ubi8 image at a bash prompt. You can run any commands you like in this:

[nbh23@colombo ~]$ podman run --interactive --tty ubi8/ubi bash
[root@f471459c7619 /]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.1 (Ootpa)
[root@f471459c7619 /]#

Notice how the prompt changed from nbh23@colombo to root@f471459c7619 - the f471459c7619 is the part to remember, we'll interact with that later on in this post. It's a random allocation, so your instance will be different.

The Podman help menu's are excellent, podman -h gives you a list of subcommands, which you can then also query:

[nbh23@colombo ~]$ podman -h
manage pods and images

Usage:
  podman [flags]
  podman [command]

Available Commands:
  attach      Attach to a running container
  build       Build an image using instructions from Dockerfiles
  commit      Create new image based on the changed container
  container   Manage Containers
  cp          Copy files/folders between a container and the local filesystem
  create      Create but do not start a container
  diff        Inspect changes on container's file systems
  events      Show podman events
  exec        Run a process in a running container
  export      Export container's filesystem contents as a tar archive
  generate    Generated structured data
  healthcheck Manage Healthcheck
  help        Help about any command
  history     Show history of a specified image
  image       Manage images
  images      List images in local storage
  import      Import a tarball to create a filesystem image
  info        Display podman system information
  init        Initialize one or more containers
  inspect     Display the configuration of a container or image
  kill        Kill one or more running containers with a specific signal
  load        Load an image from container archive
  login       Login to a container registry
  logout      Logout of a container registry
  logs        Fetch the logs of a container
  mount       Mount a working container's root filesystem
  pause       Pause all the processes in one or more containers
  play        Play a pod
  pod         Manage pods
  port        List port mappings or a specific mapping for the container
  ps          List containers
  pull        Pull an image from a registry
  push        Push an image to a specified destination
  restart     Restart one or more containers
  rm          Remove one or more containers
  rmi         Removes one or more images from local storage
  run         Run a command in a new container
  save        Save image to an archive
  search      Search registry for image
  start       Start one or more containers
  stats       Display a live stream of container resource usage statistics
  stop        Stop one or more containers
  system      Manage podman
  tag         Add an additional name to a local image
  top         Display the running processes of a container
  umount      Unmounts working container's root filesystem
  unpause     Unpause the processes in one or more containers
  unshare     Run a command in a modified user namespace
  varlink     Run varlink interface
  version     Display the Podman Version Information
  volume      Manage volumes
  wait        Block on one or more containers

Flags:
      --cgroup-manager string        Cgroup manager to use (cgroupfs or systemd, default systemd)
      --cni-config-dir string        Path of the configuration directory for CNI networks
      --config string                Path of a libpod config file detailing container server configuration options
      --conmon string                Path of the conmon binary
      --cpu-profile string           Path for the cpu profiling results
      --default-mounts-file string   Path to default mounts file
      --events-backend string        Events backend to use
      --help                         Help for podman
      --hooks-dir strings            Set the OCI hooks directory path (may be set multiple times)
      --log-level string             Log messages above specified level: debug, info, warn, error, fatal or panic (default "error")
      --namespace string             Set the libpod namespace, used to create separate views of the containers and pods on the system
      --network-cmd-path string      Path to the command for configuring the network
      --root string                  Path to the root directory in which data, including images, is stored
      --runroot string               Path to the 'run directory' where all state information is stored
      --runtime string               Path to the OCI-compatible binary used to run containers, default is /usr/bin/runc
      --storage-driver string        Select which storage driver is used to manage storage of images and containers (default is overlay)
      --storage-opt stringArray      Used to pass an option to the storage driver
      --syslog                       Output logging information to syslog as well as the console
      --tmpdir string                Path to the tmp directory
      --trace                        Enable opentracing output
      --version                      Version for podman

Use "podman [command] --help" for more information about a command.
[nbh23@colombo ~]$ podman image -h
Manage images

Usage:
  podman image [command]

Available Commands:
  build       Build an image using instructions from Dockerfiles
  exists      Check if an image exists in local storage
  history     Show history of a specified image
  import      Import a tarball to create a filesystem image
  inspect     Display the configuration of an image
  list        List images in local storage
  load        Load an image from container archive
  prune       Remove unused images
  pull        Pull an image from a registry
  push        Push an image to a specified destination
  rm          Removes one or more images from local storage
  save        Save image to an archive
  sign        Sign an image
  tag         Add an additional name to a local image
  tree        Prints layer hierarchy of an image in a tree format
  trust       Manage container image trust policy

[nbh23@colombo ~]$

We can list out the images and containers as follows, which is handy if you lose track of where you are at.

[nbh23@colombo ~]$ podman image list
REPOSITORY                            TAG      IMAGE ID       CREATED       SIZE
registry.access.redhat.com/ubi8/ubi   latest   096cae65a207   5 weeks ago   239 MB
[nbh23@colombo ~]$ podman container list
CONTAINER ID  IMAGE                                       COMMAND  CREATED      STATUS          PORTS  NAMES
a1fc64bd8e47  registry.access.redhat.com/ubi8/ubi:latest  bash     2 hours ago  Up 2 hours ago         zen_albattani
[nbh23@colombo ~]$

So we created a container to interact with, but how about creating a new image? I found that Podman is very easy to interact with and created a Dockerfile. This is a list of commands in a text file that controls what gets installed. Create a new directory - in this case whatshap, to put the Dockerfile in:

[nbh23@colombo whatshap]$ cat Dockerfile
FROM registry.access.redhat.com/ubi8/ubi
RUN yum -y update \
&& yum -y install python3 \
&& yum -y install make \
&& yum -y install gcc \
&& yum -y install redhat-rpm-config \
&& yum -y install zlib-devel \
&& yum -y install bzip2-devel \
&& yum -y install xz-devel \
&& yum -y install python3-devel \
&& yum clean all
RUN pip3 install pysam && pip3 install whatshap

Then we build the container image - from within the whatshap directory run:

podman build -t whatshap .

Notice the '.' at the end, that's important!

You'll see the container image start to build, with notifications of where it's at. If all goes to plan you will then finally see notification that it's completed:

STEP 4: COMMIT whatshap
d523727fc6c297086e84e7ec99f62e8f5e6d093d9decb1b58ee8a4205d46b3dd

We can then check it works:

[nbh23@colombo whatshap]$ podman run -it whatshap
[root@ac05564bd51b /]# whatshap -h
usage: whatshap [-h] [--version] [--debug]
                {phase,stats,compare,hapcut2vcf,unphase,haplotag,genotype} ...

positional arguments:
  {phase,stats,compare,hapcut2vcf,unphase,haplotag,genotype}
    phase               Phase variants in a VCF with the WhatsHap algorithm
    stats               Print phasing statistics of a single VCF file
    compare             Compare two or more phasings
    hapcut2vcf          Convert hapCUT output format to VCF
    unphase             Remove phasing information from a VCF file
    haplotag            Tag reads by haplotype
    genotype            Genotype variants

optional arguments:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
  --debug               Print debug messages
[root@ac05564bd51b /]#

Which all looks good - we now have our container image and can re-run that to do our whatshap analysis.

All well and good, but what happens about storage of that analysis?

We can add that to our Podman command, if we have a directory called data in /home we can map that as follows:

podman run -v /home/nbh23/data:/home/nbh23:z -it whatshap

The nice thing is that the UID and GID for files created this way all match up. The trailing :z makes selinux happy :-)

[nbh23@colombo whatshap]$ podman run -v /home/nbh23/data:/home/nbh23:z -it whatshap
[root@fef561d523b8 /]# ls
bin  boot  dev  etc  home  lib  lib64  lost+found  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
[root@fef561d523b8 /]# cd /home
[root@fef561d523b8 home]# ls
nbh23
[root@fef561d523b8 home]# cd nbh23
[root@fef561d523b8 nbh23]# touch testfile
[root@fef561d523b8 nbh23]# ls -la
total 0
drwxrwxr-x. 2 root root 22 Jan 21 09:09 .
drwxr-xr-x. 3 root root 19 Jan 21 09:09 ..
-rw-r--r--. 1 root root  0 Jan 21 09:09 testfile
[root@fef561d523b8 nbh23]# exit
[nbh23@colombo ~]$ ls
Containers  data  Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos
[nbh23@colombo ~]$ cd data
[nbh23@colombo data]$ ls -la
total 4
drwxrwxr-x.  2 nbh23 nbh23   22 Jan 21 09:09 .
drwx------. 17 nbh23 nbh23 4096 Jan 21 09:07 ..
-rw-r--r--.  1 nbh23 nbh23    0 Jan 21 09:09 testfile
[nbh23@colombo data]$

One of the things I discovered whilst creating a more complex container image was that you can start the existing image into a bash session, doing the manipulation that you require, and then use the Podman commit command to write those changes. For example using our whatshap container image we can run it as follows:

[nbh23@colombo data]$ podman run -it whatshap bash
[root@73c4742e4724 /]#

We can then make our alterations, and from another session commit those changes:

[nbh23@colombo ~]$ podman commit 73c4742e4724 whatshap-altered
Getting image source signatures
Copying blob c630f5c3e169 skipped: already exists
Copying blob 4bd7408cc1c8 skipped: already exists
Copying blob 1383f0e3c813 skipped: already exists
Copying blob a2ff5e229058 skipped: already exists
Copying blob b75bf3e68dab done
Copying config 931b7f5302 done
Writing manifest to image destination
Storing signatures
931b7f5302af9965bff14e460c19ff9e756d74095940c6d85e63f929006c35f0
[nbh23@colombo ~]$

Then do podman image list to see what we have:

[nbh23@colombo ~]$ podman image list
REPOSITORY                            TAG      IMAGE ID       CREATED              SIZE
localhost/whatshap-altered            latest   931b7f5302af   About a minute ago   545 MB
localhost/whatshap                    latest   d523727fc6c2   3 days ago           545 MB
registry.access.redhat.com/ubi8/ubi   latest   096cae65a207   5 weeks ago          239
[nbh23@colombo ~]$

You can make multiple changes to your original container image until you are satisfied that it's working as you'd like.

This has covered command line container image creation and usage, I'll be creating another blog post detailing graphical interactive containers as i'm aware that there are various interactive visual programs to cover too.

Feel free to contact me with any ideas or suggestions / questions.

Running containers with Podman and shareable systemd services

By Bryan Hepworth GitHub​

Podman version 1.7 is coming out soon and will include new features that will make management of containers with systemd services even easier. Valentin Rothberg has a blog post on the Red Hat Enable Sysadmin site that previews the features: Running containers with Podman and shareable systemd services. In the post Valentin goes over the highlights and then gives a great working example.

Working with Linux containers on RHEL 8 with Podman, image builder and web console

By Tom Sweeney GitHub​

Do you want to know how to setup RHEL 8 to run containers using Podman? Xuegang Jin has a blog post on the Red Hat Blog about this very subject, Working with Linux containers on RHEL 8 with Podman, image builder and web console. In the post Xuegang explains how you can use Image Builder to create an OS image, how to run containers with Podman, and how to check the host and containers performance using Web Console.

Understanding root inside and outside a container

By Tom Sweeney GitHub​

Do you run containers as root, or as a regular user? Scott McCarty has a blog post on the Red Hat Blog about this very subject, Understanding root inside and outside a container. In the post Scott walks you through what a rootless container does and how it can be a safer alternative to a container run by root.

Rootless Podman and NFS

By Dan Walsh GitHub​

Dan Walsh has another blog post on the Red Hat Enable Sysadmin site this time about Rootless Podman and NFS. In the post Dan talks about how you can make some minor configuration changes to allow Podman to use a user's home directory on an NFS share. Give it a read!

How To Install Podman on Debian

By Tom Sweeney GitHub​

Josphat Mutai posted a blog post on the Computing for Geeks site talking about How To Install Podman on Debian. In the post Josphat walks through all the steps necessary from 'A' to 'Z' to get Podman up and running on Debian and how to do some initial Podman commands.

Leasing routable IP addresses with Podman containers

By Brent Baude GitHub​

Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Leasing routable IP addresses with Podman containers. In the post Brent talks about using the macvlan and the dhcp plugins that ship with the container-networking project in order to lease ip addresses for your containers.

Fedora 31 and Control Group v2

By Dan Walsh GitHub​

Dan Walsh has another blog post on the Red Hat Enable Sysadmin site this time about Fedora 31 and Control Group v2. In the post Dan talks about the new version of control groups that is part of the Fedora 31 release and how it makes containers even more secure.

Building freely distributed containers with open tools

By Tom Sweeney GitHub​

Scott McCarty (@fatherlinux) has an amazing video on YouTube about Building freely distributed containers with open tools. As only Scott could say "Although explaining how to ride a Tron-style light cycle is beyond the scope of this tutorial, we will discuss something almost as exhilarating—building containers with #Podman and #RedHat Universal Base Image (UBI). We will cover how to build and run #containers based on #UBI using just your regular user account—no daemon, no root (rootless), no fuss. Finally, we will order the deresolution of all of our containers with a really cool command. You probably won’t be promoted to CEO of ENCOM after this talk, but you will have new tools in your toolbelt for how to find, run, build, and share container images."

Basic security principles for containers and container runtimes

By Brent Baude GitHub​

Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Basic security principles for containers and container runtimes. In the post Brent talks about the three core security themes concerning containers and why user privileges matter in the space.

Migrating from Docker to Podman

By Tom Sweeney GitHub​

Elliott Sales de Andrade's post on Quantum Logic, Migrating from Docker to Podman takes a look at his migration from Docker to Podman and a good assessment of where the Podman tool stands in comparison to Docker.

The current adoption status of cgroup v2 in containers

By Tom Sweeney GitHub​

In case you missed Akihiro Suda's post on Medium.com, The current adoption status of cgroup v2 in containers, here's a quick link to it. In the article Akihiro talks all things cgroup v2 and what changes it promises to bring to the world of containers, and Podman is at the forefront of that change.

First Look: Rootless Containers and cgroup v2 on Fedora 31

By Tom Sweeney GitHub​

I often times stay up too late at night watching late night television and run into these crazy commercials that tell you how easy their product is to use. If you’ve stayed up too, you know them as well. Just put your chicken and veggies in our oven, press 3 buttons and 45 minutes later a perfectly cooked meal! Easy! Got a leak? Slap on this tape and no more leak! Easy! Got a messy floor, just use this sweeper and you’ve the cleanest floor in the neighborhood! Easy!

Podman runs secure rootless containers and it really is easy! Trust me, I’m not like those other folks! As we’ve had a number of people asking us about what’s needed to set Podman rootless containers up, I decided to run through the process myself and to blog about the steps I took.

The first bit of the work has to be done as either the root user or someone with root privileges. For this walkthrough I used the root user on the console and the first thing I did was to upgrade my Fedora 30 Virtual Machine (VM) to Fedora 31. If you want to install Fedora 31 directly, the beta version just became available at the time of this writing, you could do that instead. The steps to do the upgrade are:

# dnf -y upgrade --refresh
# dnf -y install dnf-plugin-system-upgrade
# dnf -y system-upgrade download --releasever=31
# dnf system-upgrade reboot

After the machine finished rebooting, my VM was running Fedora 31 so now I needed to install Podman with dnf -y install podman. After that completes, verify that you have Podman Version 1.6.2 or higher.

# podman version
Version:            1.6.2
RemoteAPI Version:  1
Go Version:         go1.13.1
OS/Arch:            linux/amd64

Now I’m going to follow the steps in the Basic Setup and Use of Podman in a Rootless environments tutorial to do the configuration necessary to run rootless containers.

Podman running rootless containers does have a few software dependencies. Most if not all of these should be installed for you on Fedora 31 by default, but just to verify I did:

# dnf -y install slirp4netns fuse-overlayfs
Last metadata expiration check: 0:02:26 ago on Sat 14 Sep 2019 07:56:03 PM EDT.
Package slirp4netns-0.4.0-20.1.dev.gitbbd6f25.fc31.x86_64 is already installed.
Package fuse-overlayfs-0.6.2-2.git67a4afe.fc31.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

Now the user namespaces need to be setup. Rootless Podman requires the user running it to have a range of UIDs and GIDs listed in the /etc/subuid and /etc/subgid files. These files control which UIDs and GIDs the user is allocated to use on the system. Depending upon how your user was first created, these files may already have entries in them for your user. If so, you don’t need to do anything else. If not, then you can edit either file directly, or you can use useradd to create the user and allocate entries in both files, or you can use the usermod command to allocate them for a preexisting user. In this example usermod has allocated the values from 10000 to 55537 for the local “tom” account to use in our system.

# usermod -v 10000-65536 -w 10000-65536 tom

# cat /etc/subuid
tom:10000:55537

# cat /etc/subgid
tom:10000:55537

If you have multiple users, you’ll need to be sure that the ranges that are assigned to them in either /etc/subuid or /etc/subgid don’t overlap or they could gain control of the other persons containers in that overlap.

Now we’re done running with a privileged account. From here on out we can run as a non-privileged user, so I next opened up a new terminal and ssh’d into the host using the non-privileged ‘tom’ account:

$ ssh tom@192.168.122.228
tom@192.168.122.228's password:

The first thing to do is to check for the crun command.

# whereis crun
crun: /usr/bin/crun /usr/share/man/man1/crun.1.gz

The crun command is the runtime the allows for cgroup V2 support and is supplied starting with Fedora 31. Other container systems use the runc runtime. However, runc only supports cgroup V1. The cgroup kernel feature allows you to allocate resources such as CPU time, network bandwidth and system memory to a container. Version 1 of cgroup only supports containers that are run by root, while version 2 supports containers that are run by root or a non-privileged user.

A few tweaks to the ‘tom’ account config files may be needed, in most cases these files will not need tweaking, but let’s verify them. The first up is libpod.conf and to get a default variant of that file, just run podman info first.

$ podman info
$ vi .config/containers/libpod.conf

And if it’s not already set, set the runtime option in libpod.conf to “crun”.

runtime = "crun"

Then in .config/containers/storage.conf make sure the mount_program = “/usr/bin/fuse-overlayfs” line is uncommented.

Just that easy, you’re ready to run Rootless Podman. See I told you I’m not like those other guys! Let’s try setting up a rootless container running httpd. Let’s create this Dockerfile in the local directory:

$ cat Dockerfile
FROM registry.access.redhat.com/ubi8/ubi:8.0

MAINTAINER Podman Mailing List <podman@lists.podman.io>
ENV DOCROOT=/var/www/html

RUN yum --disableplugin=subscription-manager --nodocs -y install httpd \
  && yum --disableplugin=subscription-manager clean all \
  && echo "Hello from the httpd-parent container!" > ${DOCROOT}/index.html

EXPOSE 80

CMD httpd -D FOREGROUND

And now build using it:

$  podman build -t myhttp .
STEP 1: FROM registry.access.redhat.com/ubi8/ubi:8.0
Getting image source signatures
Copying blob 641d7cc5cbc4 done
Copying blob c65691897a4d done
Copying config 11f9dba4d1 done
Writing manifest to image destination
Storing signatures
STEP 2: MAINTAINER Podman Mailing List <podman@lists.podman.io>
bed974e664909b511f14e2cc21a59642c81fd1d958db12d7ef8fdc1e74f3d364
STEP 3: ENV DOCROOT=/var/www/html
5eee83e1e640a4aa2c5f39caa11c3a24ec22e37f99633c2ee9912e8f65a5ff81
STEP 4: RUN yum --disableplugin=subscription-manager --nodocs -y install httpd   && yum --disableplugin=subscription-manager clean all   && echo "Hello from the httpd-parent container!" > ${DOCROOT}/index.html
Red Hat Universal Base Image 8 (RPMs) - AppStre 1.0 MB/s | 2.3 MB     00:02
Red Hat Universal Base Image 8 (RPMs) - BaseOS  769 kB/s | 754 kB     00:00
Dependencies resolved.
{A number of normal yum output lines removed for brevity}
Installed:
  httpd-2.4.37-12.module+el8.0.0+4096+eb40e6da.x86_64
  apr-util-openssl-1.6.1-6.el8.x86_64
  apr-util-bdb-1.6.1-6.el8.x86_64
  apr-1.6.3-9.el8.x86_64
  apr-util-1.6.1-6.el8.x86_64
  httpd-tools-2.4.37-12.module+el8.0.0+4096+eb40e6da.x86_64
  mod_http2-1.11.3-3.module+el8.0.0+4096+eb40e6da.x86_64
  httpd-filesystem-2.4.37-12.module+el8.0.0+4096+eb40e6da.noarch
  mailcap-2.1.48-3.el8.noarch
  redhat-logos-httpd-80.7-1.el8.noarch

Complete!
16 files removed
45fcaaf719615e97190bf38aa9d8d06e5437f0e10741343fd318777647584d6f
STEP 5: EXPOSE 80
865abb5a809cb0ffbc63fef2def892595fe54cfeffc67013a0096a5f0fff4b27
STEP 6: CMD httpd -D FOREGROUND
STEP 7: COMMIT myhttp
f8d0bf10faa0460a111283a51d95e94421d1a46a21bca7f6f43a762469504593

Now to verify the myhttp image has been created:

$ podman images
REPOSITORY                            TAG      IMAGE ID       CREATED         SIZE
localhost/myhttp                      latest   a76baf5989a3   2 minutes ago   236 MB
registry.access.redhat.com/ubi8/ubi   8.0      11f9dba4d1bc   5 weeks ago     216 MB