Skip to main content

Podman

  • Padman is an open source tool that you can use to manage your containers locally.
  • With Podman you can find,run,build or deploy OCI(Open Container Initiative) containers and container images.
  • Podman is daemonless
    • A daemon is a process that is always running and ready for receiving incoming requests.
    • Having a demon to process the proxy of requests brings a single point of failure.
    • A demon might require elevated privileges which is a security concern.
    • Podman interacts directly with containers,images,and registries without a daemon.
  • Podman comes in the form of a command-line interface(CLI), which is supported for several operating syatems.
  • Podman provides two additional ways to interact with your containers and automate processes, the RESTful API and a desktop application called Podman Desktop.
  • Podman CLI
    • We can use the podman command to run different commands on podman.
      • podman -v
    • We can fetch container images from image registries using podman pull command.
      • podman pull quay.io/podman/hello
    • We can list the images in your system by using the podman images command
      • podman images
    • We can use the podman run command to create a new container that uses the image
      • podman run quay.io/podman/hello
    • We can list the running containers by using the podman ps command
      • podman ps
      • podman ps command lists the following details for your containers.
        • the container's ID
        • the name of the image that the container is using
        • the command that the container is executing
        • the time that the container was created
        • the status of the container
        • the exposed ports in the container
        • the name of the container
    • We can list all containers (running and stopped) by adding the --all flag to the podman ps command
      • podman ps --all
    • We can also automatically remove a container when it exits by adding the --rm option to the podman run command
      • podman run --rm quay.io/podman/hello
    • You can assign a name to your containers by adding the --name flag to the podman run command.
      • podman run --name hello_gaurav quay.io/podman/hello
    • If you want to retrieve the UUID long container ID, then you can add the --format=json flag to the podman ps --all command
      • podman ps --all --format=json
    • You can use the -p option to map a port in your local machine to a port inside the container. This way, the traffic in your local port is forwarded to the port inside the container, thus, allowing you to access the application from your computer.
      • podman run --name mysql-container -e MYSQL_ROOT_PASSWORD=postgres -d -p 3307:3306 mysql:latest
    • If you want the container to run in the background, to avoid the terminal being blocked, then you can use the -d option
  • If a name is not provided during the creation of a container, then Podman generates a random string name for the container.
  • Podman can identify the containers either by the Universal Unique Identifier (UUID) short identifier, which is composed of twelve alphanumeric characters, or by the UUID long identifier, which is composed of 64 alphanumeric characters.
Envirnoment Variables
  • Environment variables are variables used in your applications that are set outside of the program.
  • The operating system or the environment where the application runs provides the value of the variable. You can access the environment variable in your application at runtime. For example, in Node.js, you can access environment variables by using process.env.VARIABLE_NAME.
  • Environment variables are a useful and safe way of injecting environment-specific configuration values into your application.
  • For example, your application might use a database hostname that is different for each application environment, such as the database.local, database.stage, or database.test hostnames.
  • You can pass environment variables to a container by using the -e option
    • podman run --name mysql-container -e MYSQL_ROOT_PASSWORD=postgres -d -p 3307:3306 mysql:latest
    • In the above example we are passing password as an envirnoment variable.
Podman Desktop
  • Podman Desktop is a graphical user interface, which is used to manage and interact with containers in local environments. 
  • It uses the Podman engine by default, and supports other container engines as well, such as Docker.
  • Podman Desktop can be useful for users who prefer graphical environments for common tasks, and for beginners who are learning about containers.
  • Podman Desktop is modular and extensible. You can use and create extensions that provide additional capabilities. For example, with the Red Hat OpenShift extension, Podman Desktop can deploy containers to Red Hat OpenShift Container Platform.
  • Podman Desktop is available for Linux, MacOS, and Windows.
Podman Networking
  • Podman comes with a network called podman. By default, containers are attached to this network and can use it to communicate with one another.
  • There may be times when you need to create a new Podman network to better suit the increased communication needs of most applications. The containers running an application API and database can use a separate Podman network to isolate their communication from other containers. 
  • An API container can use yet another network to isolate communication with a third container that hosts the application UI.
  • Podman network management is done via the "podman network" subcommands
    • podman network create
      • Creates a new Podman network. 
      • This command accepts various options to configure properties of the network, including gateway address, subnet mask, and whether to use IPv4 or IPv6.
      • podman network create example-net
    • podman network ls
      • Lists existing networks and a brief summary of each. Options for this command include various filters and an output format to list other values for each network.
    • podman network inspect
      • Outputs a detailed JSON object containing configuration data for the network.
    • podman network rm
      • Removes a network
    • podman network prune
      • Removes any networks that are not currently in use by any running containers.
    • podman network connect
      • Connects an already running container to or from an existing network.
      • We can connect containers to a Podman network on container creation by using the --net option. 
      • podman run -d --name my-container --net example-net docker.io/library/mysql:latest
      • To connect container to multiple networks we can specify network names in a comma-separated list
        • podman run -d --name double-connector --net postgres-net,redis-net docker.io/library/postgres:latest
      • If a container is already running connect it to a network using command
        • podman network connect example-net my-container
    • The disconnect command disconnects a container from a network.
Domain Name Resolution
  • When you use the default Podman network, the domain name system (DNS) for other containers in that network is disabled. 
  • To enable DNS resolution between containers, create a Podman network and connect your containers to that network.
  • When using a network with DNS enabled, a container's hostname or alias is the name assigned to the container. 
  • The other containers on the network can make requests to the first container by using its hostname. 
  • The hostname resolves to the current IP address of the container.
  • We can modify the default podman network and override the predefined value of disabled DNS, but this is discouraged
Connecting Containers
  • You can connect containers to one or more Podman networks.
  • A container once connected to a network, the container can communicate with other containers on that network.
  • Though the containers are reachable to one another, other components might prevent connections.
    • Firewall rules might block a connection coming from another container.
  • A container is available within any network that the container connects to.
  • A running container called nginx-host that uses the example-net network.
    • The container exposes an HTTP server on port 8080.
  • Within another container that uses the same network, the curl command can be used to resolve the root of the HTTP server.
Access Containerized Network Services
  • Port Forwarding
    • A container's network namespace is isolated, which means that a networked application is only accessible within the container.
    • Port forwarding maps a port from the host machine where the container runs to a port inside of a container.
    • The -p option of the podman run command forwards a port. The option accepts the form HOST_PORT:CONTAINER_PORT.
      • sudo podman run -p 3305:3307 -e MYSQL_ALLOW_EMPTY_PASSWORD=true docker.io/library/mysql
    • Without a host specified, the container is assigned the broadcast address (0.0.0.0).
    • This means that the container is accessible from all networks on the host machine.
    • To publish a container to a specific host and to limit the networks it is accessible from we can assign an address as follows
      • podman run -p 127.0.0.1:3304:3306 -e MYSQL_ALLOW_EMPTY_PASSWORD=true docker.io/library/mysql
  • List Port Mappings
    • To list port mappings for a container, use the podman port command.
      • podman port my-app
    • The --all option lists port mappings for all containers.
      • podman port --all
  • Networking in Containers
    • Containers attached to Podman networks are assigned private IP addresses for each network.
    • Other containers in the network can make requests to this IP address.
    • The following command retrieves the private IP address of the container within the apps network.
      • podman inspect mysql-app -f '{{.NetworkSettings.Networks.apps.IPAddress}}'
Accessing Containers
  • Once we package applications as containers to isolate the application process. We lose immediate visibility into the state of the containerized process and its environment.
  • To regain that visibility, containerization tools such as Podman provide a way to start new processes within containers in the running state. 
  • This is useful while reading a log file, verify the value of an environment variable, or debug a process.
Start Processes in Containers
  • Use the podman exec command to start a new process in a running container
    • podman run -d -p 8080:80 --name apache docker.io/library/httpd
    • podman exec apache httpd
    • podman exec -e ENVIRONMENT=dev -l env
      • sets the ENVIRONMENT variable and then executes the env command to print all environment variables
Open an Interactive Session in Containers
  • Use combination of the --tty and --interactive options to open an interactive shell in a running container.
  • If we open a shell program such as Bash or PowerShell in a container without providing any options, then the podman exec command opens the shell program, receives no input, and exits successfully.
  • If you open a shell program with the --interactive option, the podman exec executes the shell program and commands, but the session does not behave like a regular terminal.
    • Features such as command history are not available in this mode and we cannot use programs that require a TTY such as vim.
    • The output is visible, it is hard to differentiate from the input.
      • podman run -d -p 8080:80 --name apache docker.io/library/httpd
      • podman exec -l /bin/bash
  • If you open a shell program with the --tty option, the podman exec executes the shell program and opens a pseudo terminal, but receives no input.
    • podman exec -tl /bin/bash
  • To open an interactive shell in a running container, use the --interactive option. Also include the --tty option to make the session behave like a regular terminal session.
    • podman exec -til /bin/bash
Copy Files In and Out of Containers
  • Some containers do not provide the programs necessary to debug a running process.
    • To print the content of a file we use the cat utility. 
    • But in production-ready containers, a best practice is to package only the libraries required by the application runtime.Such a container might not include basic utilities, such as cat, or an editor such as vi.
    • We can copy the file we want to modify to your host machine, modifying it, and then replacing the original file.
  • Use the podman cp command to copy files to and from a running container.
    • Open terminal ofcontainer using
      • podman exec apache -til /bin/bash
    • change directory to /tmp/logs and write a file
      • root@f221ade6c444: cd /tmp/logs
      • root@f221ade6c444:/tmp/logs# cat > my.txt
      • Hello from Gaurav
    • press ctrl+D to save changes
    • "exit" out of container bash shell 
      • use exit command
    • podman cp apache:/tmp/logs .
      • This command will copy logs directory and its content to present working directory of host.
    • podman cp nginx.conf nginx:/etc/nginx
      • To copy file to a container from host
    • podman cp nginx-test:/etc/nginx/nginx.conf nginx-proxy:/etc/nginx
      • To copy file between containers
Managing the Container Lifecycle
  • Podman provides a set of subcommands to create and manage containers.
  • Podman also provides a set of subcommands to obtain information about running and stopped containers.
    • Use these subcommands to extract information from containers and images for debugging, updating, or reporting purposes.
      • We can list running containers with the podman ps command
        • Each row describes information about the container, such as the image used to start the container,the command executed when the container started, and the container uptime.
        • We can include stopped containers in the output by adding the --all or -a flag to the podman ps command.
      • The podman inspect command returns a JSON array with information about different aspects of the container, such as networking settings, CPU usage, environment variables, status, port mapping, or volumes.
        • Inspecting a container means retrieving the full information of the container.
        • Pass a --format flag to the podman inspect command to filter the command output.
        • The --format flag expects a Go template expression as a parameter, which you can use to select specific fields in the JSON.
        • Go template expressions use annotations, which are delimited by double curly braces ({{ and }}),to refer to elements, such as fields or keys, in a data structure. 
          • The data structure elements are separated by a dot (.) and must start in upper case.
        • podman inspect --format='{{.State.Status}}' nginx
      • You can stop a container gracefully by using the podman stop command.
        • When you execute the podman stop command, Podman sends a SIGTERM signal to the container.
        • Processes use the SIGTERM signal to implement clean-up procedures before stopping.
        • You can stop all the running containers by using the --all or -a flag
        • If a container does not respond to the SIGTERM signal, then Podman sends a SIGKILL signal to forcefully stop the container. 
          • Podman waits 10 seconds by default before sending the SIGKILL signal. You can change the default behavior by using the --time flag.
      • You can send the SIGKILL signal to the container by using the podman kill command which forcefully stops containers.
      • The podman pause command suspends all processes in the container by sending the SIGSTOP signal.
        • The podman unpause command resumes a paused container.
      • Execute the podman restart command to restart a running container.
      • Use the podman rm command to remove a stopped container.
        • We must stop the running container first and then remove it.
        • We can add the --force (or -f) flag to remove the container forcefully.
        • We can add the --all (or -a) flag to remove all stopped containers. This flag fails to remove running containers.
        • We can combine the --force and --all flags to remove all containers, including running containers.
Start a Containerized Service on Boot
  • Systemd is a system and service management tool for Linux operating systems.
  • Systemd uses service unit files to start and stop applications, or to enable them to start at boot time.
  • To create a systemd unit file for a specified service container, use the podman generate systemd command.
  • Use the --name option to specify the container's name. The --files option generates files instead of printing to standard output (STDOUT).
  • After adding or modifying unit files, you must use the systemctl command to reload the systemd configuration.
Managing the Containerized Service
  • To manage a containerized service, use the systemctl command.
  • When you use the --user option, by default, systemd starts the service at your login, and stops it at your logout.
  • You can start your enabled services at the operating system boot, and stop them on shutdown, by running the loginctl enable-linger command.
  • To revert the operation, use the loginctl disable-linger command.

Comments

Post a Comment