Table of Contents
How to Run Containers ?
- Container images are configured with an entry point, which is the default command to be executed
- If the container starts a service, the entry point is executed and the container will continue to run in the foreground
- If the entry point is just a command, it is executed, after which the container stops. This causes frequent confusion for people who have started with virtualization. Imagine we got an Ubuntu container. The Ubuntu container is configured with a shell as entry point. When the container starts the shell, then it's done. It stops. And that is in contrast to working with virtual machines.
- In virtual machines, you start your virtual machine, introduce a shell, and then it waits until we tell it what to do. That is why it is pretty important to make a difference between a system container and an application container.
- A system container is used as a foundation container, and it starts an entry point, and then it quits. System containers are not a replacement for virtual machines. System containers are just meant to be the foundation for doing whatever else you want to do, like creating your own images
- An application container starts a service as an entry point, and after that, it just quits, and as the service runs as a Daemon, it will continue running forever.
Running Container with podman
- Before running a container with podman, it is important to decide whether, we need to run it as a rootless container or with root privileges. Container is just a process on the Linux system. so for better security, it is always recommended to run rootless container.
- Running non root container comes with its own challenges like, access to privileged ports and files
- podman search can be used to identify a specific container image
- podman pull can be used to download the image to the local
- podman images can be used to list the already available images
- podman run can be used to run a container
- Login credentials are used for accessing container images from some of the available registries
Install container environment
The container environment is created by using the yum module container-tools, and it is not installed by default. This module will install podman, runtime, and other tools like skopeo. Skopeo is a utility used for analyzing images before we pull the image.
yum module install container-tools Installed: aardvark-dns-2:1.1.0-5.module+el8.7.0+17498+a7f63b89.x86_64 crun-1.5-1.module+el8.7.0+17498+a7f63b89.x86_64 netavark-2:1.1.0-7.module+el8.7.0+17498+a7f63b89.x86_64 python3-podman-4.2.1-1.module+el8.7.0+17498+a7f63b89.noarch python3-pytoml-0.1.14-5.git7dea353.el8.noarch skopeo-2:1.9.3-1.module+el8.7.0+17498+a7f63b89.x86_64 toolbox-0.0.99.3-0.6.module+el8.7.0+17498+a7f63b89.x86_64 udica-0.2.6-4.module+el8.7.0+17498+a7f63b89.noarch Complete!
Identify podman image
We will have to identify the image which we need for our container. we can use podman search command for the same
Note: It is recommended to login to the redhat registry using podman login command; If not the images will be pulled from DockerHub Registry.
Below code snippet shows the use of podman search command for finding the universal base image (ubi)
~]# podman search ubi NAME DESCRIPTION registry.access.redhat.com/ubi8/go-toolset Platform for building and running Go 1.11.5... registry.access.redhat.com/ubi9/go-toolset rhcc_registry.access.redhat.com_ubi9/go-tool... registry.access.redhat.com/ubi8/openjdk-8-runtime OpenJDK 1.8 runtime-only image on Red Hat Un... registry.access.redhat.com/ubi8/openjdk-11-runtime OpenJDK 11 runtime-only image on Red Hat Uni... registry.access.redhat.com/ubi8/openjdk-17-runtime OpenJDK 17 runtime-only image on Red Hat Uni... registry.access.redhat.com/ubi7 The Universal Base Image is designed and eng... registry.access.redhat.com/ubi9-beta/ubi Provides the latest release of Red Hat Unive... registry.access.redhat.com/ubi7/ubi-minimal The Universal Base Image Init is designed to... <trimmed> registry.redhat.io/ubi9-micro rhcc_registry.access.redhat.com_ubi9-micro registry.redhat.io/jboss-webserver-5/jws57-openjdk11-openshift-rhel8 rhcc_registry.access.redhat.com_jboss-webser... registry.redhat.io/jboss-webserver-5/jws57-openjdk8-openshift-rhel8 rhcc_registry.access.redhat.com_jboss-webser... registry.redhat.io/ubi7/ubi The Universal Base Image is designed and eng... registry.redhat.io/ubi8/ubi Provides the latest release of the Red Hat U... registry.redhat.io/ubi8 The Universal Base Image is designed and eng... registry.redhat.io/ubi9/ubi rhcc_registry.access.redhat.com_ubi9/ubi docker.io/redhat/ubi8 Red Hat Universal Base Image 8 docker.io/redhat/ubi8-minimal Red Hat Universal Base Image 8 Minimal docker.io/redhat/ubi8-init Red Hat Universal Base Image 8 Init docker.io/redhat/ubi8-micro
- podman search will return a list of images related to the query which we have given. From the available images, we can select the required image
- For this exercise, i will be choosing ubi8/ubi from redhat registry
- From the above code snippet, it can be seen that images from docker repo is also listing. This is because the podman search command will search the image in all available repos
Pull the image for container
- This is an optional step, but for end to end understanding we will do this for the first time
- we can use podman pull command to download the image from the registry
~]# podman pull registry.redhat.io/ubi8/ubi Trying to pull registry.redhat.io/ubi8/ubi:latest... Getting image source signatures Checking if image destination supports signatures Copying blob 649e5534d134 done Copying config 6a2ef33ab9 done Writing manifest to image destination Storing signatures 6a2ef33ab97f171b57b06cba98a306d4b78f5a0604f576fa5d7b0c5e76481d73
- It can be seen from the above code snippet that, when we execute pull command, blob is getting copied
- These blobs are the different layers that the image is composed of.
- In a container image, there are typically multiple layers and each layers are managed independently
- podman images command will show the pulled/available images
]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.redhat.io/ubi8/ubi latest 6a2ef33ab97f 2 weeks ago 214 MB
Running Containers on Podman
- podman run command can be used to create a container with the image which we have pulled from the above step
podman run registry.redhat.io/ubi8/ubi
- podman ps will list the container which we have created
]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
- But the above command is not listing any container. This is because podman ps command will only list the running containers
- For listing all available containers, we will have to use podman ps -a
[root@localhost ~]# podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES b8e0c1f9c160 registry.redhat.io/ubi8/ubi:latest /bin/bash 3 minutes ago Exited (0) 3 minutes ago gallant_mahavira
- The above code snippet, we can see the details of the container which we had created. The name gallant_mahavira is a random name which gets assigned by podman. User can customize the container name while executing podman run command
Running a System Containers on Podman
- We will run a nginx container in detached mode
- We will skip the image pull step, as it is an optional step
[root@localhost ~]# podman run -d nginx
Resolved "nginx" as an alias (/var/cache/containers/short-name-aliases.conf)
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob c8b9881f2c6a done
Copying blob d2c0556a17c5 done
Copying blob 8740c948ffd4 done
Copying blob b2fe3577faa4 done
Copying blob 693c3ffa8f43 done
Copying blob 8316c5e80e6d done
Copying config a99a39d070 done
Writing manifest to image destination
Storing signatures
6f2f88ec814b7834f278b83a7bb031d1c2a583a1bc52c158df647ba7fc304141
- In the above code snippet, it can be see that image layer are getting copied, even though we had skipped the image pull
- Once we list the container using podman ps, it can be seen that nginx image is still running
~]# podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6f2f88ec814b docker.io/library/nginx:latest nginx -g daemon o... 4 minutes ago Up 4 minutes ago romantic_jang
Running Container in an interactive Terminal
- Below command can be used to run a container in an interactive terminal
~]# podman run -it registry.redhat.io/ubi8/ubi /bin/bash [root@f36fbc4c4d1e /]#
- The above code snippet, we got a root shell in the container f36fbc4c4d1e
Read More
Podman: Understanding Container Images and Containers Registries
Container Tutorial for Beginners in Lay man's term: Architecture, Advantages