Secure, rootless containers for Kubernetes, microservices, and more Daniel Walsh M A N N I N G Podman and Docker feature comparison Feature Podman Docker Description Supports all OCI and ✔ ✔ Both pull and run container images from container regis- Docker images tries (i.e., quay.io and docker.io) Launches OCI container ✔ ✔ Launch containers using runc, crun, Kata, gVisor, and engines OCI container engines Simple command-line ✔ ✔ Podman and Docker share the same CLI. interface Integration with systemd ✔ ✘ Podman supports running systemd inside of the container as well as many systemd features. Fork/exec model ✔ ✘ The container is a direct descendant of the podman command. Fully support user name- ✔ ✘ Only Podman supports running containers in separate user space namespaces. Client–server model ✔ ✔ Docker is a RESTful API daemon. Podman supports REST- ful API via a systemd socket=activated service. Supports docker- ✔ ✔ compose scripts work against both restful APIs. Podman’s compose works in rootless mode. Supports docker-py ✔ ✔ docker-py python bindings work against both restful APIs. Podman’s works in rootless mode. Podman also supports podman-py for running advanced features. Daemonless ✔ ✘ The podman command runs like a traditional command-line tool, while Docker requires multiple root-running daemons. Supports Kubernetes-like ✔ ✘ Podman supports running multiple containers within the pods same pod. Supports Kubernetes ✔ ✘ Podman can launch containers and pods based on Kuber- yaml netes yaml. It can also generate Kuberenetes.yaml from running containers. Supports Docker swarm ✘ ✔ Podman believes the future for orchestrated multi-node containers is Kubernetes and does not plan on implement- ing Swarm. Customizable registries ✔ ✘ Podman allows you to configure registries for short name expansion. Docker is hard coded to docker.io when you specify a short name. Customizable defaults ✔ ✘ Podman supports fully customizing all of its defaults includ- ing security, namespaces, volumes, and more. Mac OS support ✔ ✔ Podman and Docker support running containers on a Mac via a VM running Linux. Windows support ✔ ✔ Podman and Docker support running containers on a Win- dows WSL2 or a VM running Linux. Linux support ✔ ✔ Podman and Docker are supported on all major Linux distri- butions. Podman in Action SECURE, ROOTLESS CONTAINERS FOR KUBERNETES, MICROSERVICES, AND MORE DANIEL WALSH MANNING SHELTER ISLAND For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher offers discounts on this book when ordered in quantity. For more information, please contact Special Sales Department Manning Publications Co. 20 Baldwin Road PO Box 761 Shelter Island, NY 11964 Email: [email protected] ©2023 by Manning Publications Co. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps. Recognizing the importance of preserving what has been written, it is Manning’s policy to have the books we publish printed on acid-free paper, and we exert our best efforts to that end. Recognizing also our responsibility to conserve the resources of our planet, Manning books are printed on paper that is at least 15 percent recycled and processed without the use of elemental chlorine. The author and publisher have made every effort to ensure that the information in this book was correct at press time. The author and publisher do not assume and hereby disclaim any liability to any party for any loss, damage, or disruption caused by errors or omissions, whether such errors or omissions result from negligence, accident, or any other cause, or from any usage of the information herein. Manning Publications Co. Development editor: Toni Arritola 20 Baldwin Road Technical development editor: Joshua White PO Box 761 Technical editor: Roman Zhuzha Shelter Island, NY 11964 Review editor: Aleksandar Dragosavljevic´ Production editor: Andy Marinkovich Copy editor: Christian Berk Proofreader: Katie Tennant Technical proofreader: Alain Lompo Typesetter: Dennis Dalinnik Cover designer: Marija Tudor ISBN: 9781633439689 Printed in the United States of America In memory of my mother, Joan P. Walsh brief contents PART 1 FOUNDATIONS ..............................................................1 1 ■ Podman: A next-generation container engine 3 2 ■ Command line 27 3 ■ Volumes 67 4 ■ Pods 76 PART 2 DESIGN.......................................................................87 5 ■ Customization and configuration files 89 6 ■ Rootless containers 106 PART 3 ADVANCED TOPICS ....................................................125 7 ■ Integration with systemd 127 8 ■ Working with Kubernetes 151 9 ■ Podman as a service 166 PART 4 CONTAINER SECURITY...............................................187 10 ■ Security container isolation 189 11 ■ Additional security considerations 216 v contents preface xi acknowledgments xii about this book xiii about the author xvi about the cover illustration xvii PART 1 FOUNDATIONS....................................................1 1 Podman: A next-generation container engine 3 1.1 About all these terms 4 1.2 A brief overview of containers 7 Container images: A new way to ship software 9 ■ Container images lead to microservices 11 ■ Container image format 13 Container standards 14 1.3 Why use Podman when you have Docker? 15 Why have only one way to run containers? 15 ■ Rootless containers 16 ■ Fork/exec model 17 ■ Podman is daemonless 19 ■ User-friendly command line 19 ■ Support for REST API 21 ■ Integration with systemd 21 ■ Pods 22 Customizable registries 23 ■ Multiple transports 25 ■ Complete customizability 25 ■ User-namespace support 26 1.4 When not to use Podman 26 vi CONTENTS vii 2 Command line 27 2.1 Working with containers 28 Exploring containers 28 ■ Running the containerized application 30 ■ Stopping containers 34 ■ Starting containers 35 ■ Listing containers 36 ■ Inspecting containers 36 ■ Removing containers 37 ■ exec-ing into a container 38 ■ Creating an image from a container 39 2.2 Working with container images 41 Differences between a container and an image 42 ■ Listing images 44 ■ Inspecting images 45 ■ Pushing images 46 podman login: Logging into a container registry 48 ■ Tagging images 50 ■ Removing images 53 ■ Pulling images 55 Searching for images 58 ■ Mounting images 59 2.3 Building images 60 Format of a Containerfile or Dockerfile 61 ■ Automating the building of our application 64 3 Volumes 67 3.1 Using volumes with containers 68 Named volumes 70 ■ Volume mount options 72 ■ podman run --mount command option 75 4 Pods 76 4.1 Running pods 76 4.2 Creating a pod 79 4.3 Adding a container to a pod 80 4.4 Starting a pod 82 4.5 Stopping a pod 83 4.6 Listing pods 84 4.7 Removing pods 84 PART 2 DESIGN.............................................................87 5 Customization and configuration files 89 5.1 Configuration files for storage 91 Storage location 91 ■ Storage drivers 94 5.2 Configuration files for registries 96 registries.conf 96 viii CONTENTS 5.3 Configuration files for engines 100 5.4 System configuration files 104 6 Rootless containers 106 6.1 How does rootless Podman work? 109 Images contain content owned by multiple user identifiers (UIDs) 110 6.2 Rootless Podman under the covers 118 Pulling the image 119 ■ Creating a container 120 Setting up the network 120 ■ Starting the container monitor: conmon 121 ■ Launching the OCI runtime 121 ■ The containerized application runs until completion 124 PART 3 ADVANCED TOPICS...........................................125 7 Integration with systemd 127 7.1 Running systemd within a container 128 Containerized systemd requirements 131 ■ Podman container in systemd mode 131 ■ Running an Apache service within a systemd container 132 7.2 Journald for logging and events 134 Log driver 135 ■ Events 136 7.3 Starting containers at boot 137 Restarting containers 137 ■ Podman containers as systemd services 138 ■ Distributing systemd unit files to manage Podman containers 141 ■ Automatically updating Podman containers 142 7.4 Running containers in notify unit files 145 7.5 Rolling back failed containers after update 147 7.6 Socket-activated Podman containers 147 8 Working with Kubernetes 151 8.1 Kubernetes YAML files 153 8.2 Generating Kubernetes YAML files with Podman 153 8.3 Generating Podman pods and containers from Kubernetes YAML 157 Shutting down pods and containers based on a Kubernetes YAML file 158 ■ Building images using Podman and Kubernetes YAML files 159