------------------------------------------------------------------------------- Podman While much of podman is a drop in replacement for docker, except it does not require root, This is about differences. Stop warnings about using 'docker' instead of podman touch /etc/containers/nodocker Stop warnings about falling back to --cgroup-manager=cgroupfs echo ' | # Stop podman warnings about "fallback to --cgroup_manager=cgroupfs" | [engine] | events_logger = "file" | cgroup_manager = "cgroupfs" ' | sed -n '/^ *|/!d; s///; s/^ //; p' \ > ~/.config/containers/containers.conf NOTE: * Griffith needs a registry prefix add to get external images See "info sysprogs/docker_gu_repo.txt" for details. * Podman volume mounts require a ':Z' suffix added for SELinux If volume will be shared by multiple containers use ':z' This will relabel the files in the volume approperitally * Specific selinux context needed for exposed files (see codedojo) setype: container_file_t if registery does not have correct SSL (TLS) use: --tls-verify=false Registry config: /etc/containers/registries.conf More help https://github.com/containers/podman/blob/main/troubleshooting.md ------------------------------------------------------------------------------- Disk Locations Containers get stored in ~/.local/share/containers/ ~/.config/containers/ /run/user/$(id -u)/containers short names for containers /etc/containers/registries.conf.d/000-shortnames.conf ------------------------------------------------------------------------------- Example root-less pod... podman run -t -i --rm fedora bash or podman run -t -i --rm registry.fedoraproject.org/fedora bash run options... -t -tty alocate a psuedo tty -i allow stdin input? --rm remove container on exit WARNING: Do not use -t (-i only) when pipeing input into podman ------------------------------------------------------------------------------- Tutorial Example... # Create container source mkdir ant_hello cd ant_hello GITHUB=registry.DOMAIN echo 'Hello from Anthony' > index.html sed -n '/^ *|/!d; s///; s/^ //; p' <<<' | FROM '"${GITHUB}"'/library/nginx:latest | COPY index.html /usr/share/nginx/html/index.html ' > Dockerfile # Create Image podman build -t ant_hello -f Dockerfile podman image ls # Run image in a pod (firewall does not need to be open for this) podman run -d -p 8080:80 --name ant_hello --rm ant_hello # look at running images podman ps -a # Look at logs podman logs ant_hello # check you can contact running nginx server # As the firewall for port 8080 is not open this only works from localhost curl localhost:8080 # get a shell into the running container (debugging) podman exec -u 0 -it ant_hello /bin/bash # Shutdown podman stop ant_hello # Note this may not remove the 'exited' container # if -rm was NOT given on start, so as to show 'exit' status. podman ps -a # so remove any and all exited containers podman rm -v $(podman ps -aq -f status=exited -f status=created) # Remove Images (as listed above) podman rmi localhost/ant_hello:latest podman rmi ${GITHUB}/library/nginx:latest ------------------------------------------------------------------------------- More controls... Image specific commands # list images podman image ls # Examine all Dockerfile config commands used to create image # Including those downloaded from DockerHub you based your image on. # podman inspect {image_name_or_id} # rename or retag a image podman tag {image_id} {image_name}:latest # remove images podman rmi {image_id} Container (running pod) specific commands # List all running conatines (even those exited podman ps -a # Examine all Dockerfile config commands used to create image # Including those downloaded from DockerHub you based your image on. # podman inspect {container_name_or_id} # This command will remove any 'exited' pod processes you may have. # If you stopped the pod nicely using the above there will not be any, # due to the '--rm' option to auto-remove conatiners on exit. # # The '-q' options gets podman to simply list the ID's of the object found # rather than a verbose table. # podman rm -v $(podman ps -a -q -f status=exited -f status=created) # Get a command line shell inside the running container! podman exec -u 0 -it {container} /bin/bash # copy a file into a running container (ephemeral) podman cp file.txt {container}:/path/to/file.txt # copy a file (logs?) out of a running container podman cp {container}:/path/to/data/. data ------------------------------------------------------------------------------- subuid and subgid Best troubleshooting guide https://access.redhat.com/solutions/6161832 Can be see when pulling images, (which alters them) podman pull fedora You can get around this by running with the options --storage-opt ignore_chown_errors=true The later setting can be put into /etc/containers/storage.conf --- We need to map any extra UID's or GID's a container may use into UID's that do not clash with other UID/GID's on the system. :: username user running container start_uid uid to start maping from size limit to number of uid to map to container Example anthony:100000:1000 This causes UID's in container 1 to 1000 to map to the UIDs 100000 to 100999 While the default setup of podman maps uid 0 in continer to the running user. Note the UID is 1 less than the middle value! That is because 0 is automatically mapped to the users UID (whatever that is) As if there is a setting --usermap 0:$(uid):1 These ranges should not overlap either each other or those on the system for security reasons. You can add them using usermod --add-subuids 200000-201000 --add-subgids 200000-201000 johndoe but all containers need to be stopped, or a "podman system migrate" command. Note the size often defaults to 65536. But that is probably overkill, and if you have a LOT of users, you may run out of UIDs, 1000 should be enough for most conatiners. --- Check your own user settings with podman unshare cat /proc/self/uid_map podman unshare cat /proc/self/gid_map Default for a host user of uid 1000 0 1000 1 1 100000 65536 that is container root 0 -> host users uid 1000 and the rest to uid -> 100000-1+uid EG: nginx (100) in container maps: 100 -> 100099 --- Set ranges for a user... For existing users wanting to run podman (This does not clash with griffith s-number UID's) echo >> /etc/subuid "anthony:100000:1000" echo >> /etc/subgid "anthony:100000:1000" or usermod --add-subuids 100000-100999 anthony usermod --add-subgids 100000-100999 anthony To automatic add when new users are created (via "useradd") these default to 65566 vi /etc/login.defs SUB_UID_COUNT 1000 SUB_GID_COUNT 1000 As such the next user will be assigned new_user:101000:1000 --- Simple UID/GID adjusments --userns 'keep-id' This sets the UID/GID inside the conatiner to be your own UID/GID outside/ NOTE: root will now be mapped to the subuid_start value. Container UIDs lower than your UID map to uid+subuid_start on HOST Container UID's above your UID map to uid+subuid_start-1 on HOST Whn you 'exec' into container you will by default be yourself, unless you speciay the uid your want... "podmap exec -u 0 -it ..." --userns 'keep-id:uid=100,gid=101' Like previous but your host UID maps to 100 in container (nginx?) Alturnative (the equivelent for the uids only) --uidmap 100:0:1 # map UID (100) into to your normal UID --uidmap 0:1:100 # map smaller UIDs (0-99) into subuid range --uidmap 101:101:$((65536-100) # map larger UIDs into subuid range Basically --uidmap can only map container UIDs into either your normal host UID and the assigned "subuid" range. repeat the above for gid! At this time, you can only pass this to podman-compose using PODMAN_USERNS environment. In future this can be set using "userns_mode:" https://github.com/containers/podman-compose/issues/166 --- To just apply the default uidmap to a volume (to lookat or modify as a user) start a 'unshare' shell. This however does NOT understand --userns or --uidmap podman unshare bash Note while it applies the mappings, it does not mean you can access the files in the new mapping from your normal UID/GID. -------------------------------------------------------------------------------