Seal the Secret !!
2022-Aug-18
Podman – a Container runtime
By:DALEEP SINGH
2020-May-15 11:05:24
I have been using Docker for a long time. Quite recently, I came across Podman, another of the container runtime. Podman is even preferred over Docker now, and I feel, it rightly deserves it.
Podman as a container runtime, doesn’t need a system daemon to run and build and manage containers, nor does it need to run as root user on the host to create containers. Podman uses traditional fork-exec model and relies on user namespaces and network namespaces. This goes in favor of podman being more secure as compared to docker. The best argument was, that is kind of in-place replacement for Docker, ie, you can use all docker verbs as it is with podman, just replace docker with podman.
I grabbed a Fedora 31 host to install and try podman.
Install and use podman
Let me first show you some basic docker like stuff with podman and later we will move to some more podman kind of stuff ( Pods with Podman ) .
To install podman, run
Infact, while building podman, it was supposed to be made easy for existing docker users to transition to podman and adapt. For example, instead of docker ps, you can simply say podman ps to list the running containers on the host. To make our life more easy, we even have a package, podman-docker, which once installed can actually run all commands using docker command, however, calling podman in background. So from user’s perspective, they don't have to learn or remember new commands / verbs.
Now that we have podman installed, lets try to run a few commands to download an image and create a container.
Using search verb, similar to docker search, you can search for various images.
Once you have images looked up, use pull verb to download the image using podman.
The above output shows that the image has been downloaded and available in image cache ( will talk about cache/storage location shortly).
Now that we have image with us, we can use podman with run verb to start a new container using the downloaded image.
Using -h as a parameter, I was able to give my container a hostname name ie fedora-host in this case.
Podman is able to run these containers as a regular user, as you can see from the above outputs. However, if I try to do inspect from a regular user and root user, I can observe the difference. I am able to see the IP address of the containers as root user, however, it is blank as a regular user. May be, this could be topic for later discussions.
I have tried to show the difference in the following examples, where the same image is being used to create two containers, one as rootless and another one with root user privileges.
Case 1 : rootless container with podman
I pulled a simple httpd image to deploy the web containers.
Container is now running successfully with the name web-srv as seen from the output.
However, when you try to do podman inspect to get the IP Address associated with the container, it doesn’t show.
Why?
Because, when we use Podman as a rootless user, the network setup is automatic and the container doesnt get an IP address. As without root privileges, network device association cannot be achieved.
Case 2 : rootfull container with podman
Using the same httpd image, I tried creating another container, this time as root user on the fedora host. The container name given was root-web-srv to identify that this is created as root user.
Once the container was up and running, doing inspect on the container showed us the IP address, 10.88.0.2 in this case, allocated to the container by container run-time CNI.
If I am not able to get the IP Address when running podman as rootless, then how would we be able to connect to such container and access the application?
This would be possible using port-mapping to the port assigned by podman. Let me show how it can be done using the same image for httpd.
As you see, in the previous example, I used additional switch --publish-all to publish all ports exposed by the container image and to do port-mapping to them.
Using podman port -l, I was able to list ports being mapped and eventually, sending a curl request to localhost on the assigned port, I was able to access the application content.
Snippet from podman run help showing port mapping options:
Podman configuration and storage
Podman uses configuation file at /etc/containers/registries.conf to identify the registry to search and download the images to create the containers. Additional registries can also in created in /etc/containers/registries.d folder ( shown below ).
Podman stores its containers and images in a different place than Docker. Instead of /var/lib/docker, it is /var/lib/containers. This new storage structure is based on the Open Containers Initiative (OCI) standards.
Also, since it doesn't need to run as root, other system users ( non-root users), using podman need a separate location for podman to write the images and store container metadata. For this purpose, Podman uses a repository in user’s home directory at ~/.local/share/containers. This ensures that individual users can have separate containers and images using Podman in the same host, without stepping on each others foot. Also this way, we can avoid making /var/lib/containers/ world-writable.
Outputs below highlight the container storage used by a regular user ( dba in example) and also by root user. Lets see storage used by dba user on my fedora host.
Some more detailed information can be seen the next output.
If you would observe the folder names, you would find that they correspond to the container names, as shown in podman ps command output, 0beae1cfddac & 404da0e366a8. This shows the location where the container is stored for dba user.
If you see this for root user, you will find that it uses /var/lib/containers/ container storage, as shown below.
Hope this article would be good enough for you to start with Podman and able to create and manage containers. You can also refer to podman --help command to explore more about sub-commands and podman help to get more possible switches/options for sub-commands.
