The next generation of containers is here. Learn Podman directly from its creator, discover its exceptional security features, and start managing rootless containers that integrate easily into your systems.
In Podman in Action you will learn how to:
• Build and run containers in rootless mode
• Develop and manage pods
• Use SystemD to oversee a container’s lifecycle
• Work with the Podman service via Python
• Keep your containers confined using Podman security features
• Manage containerized applications on edge devices
Podman in Action shows you how to deploy containerized applications on Linux, Windows, and MacOS systems using Podman. Written by Daniel Walsh, who leads the Red Hat Podman team, this book teaches you how to securely manage the entire application lifecycle without human intervention. You’ll quickly get to grips with Podman’s unique advantages over Docker, and learn how easy it is to migrate your Docker-based infrastructure. It also demonstrates how, with Podman, you can easily convert containerized applications into Kubernetes-based microservices.
About the technology
It’s time to upgrade your container engine! The Podman container manager delivers flexible image layer control, seamless Kubernetes compatibility, and rootless containers that can be created, run, and managed by users without admin rights. Plus, its OCI-compliant support for the Docker API lets you shift existing containers to Podman without breaking your scripts or changing the way you work.
About the book
Podman in Action introduces the Podman container manager. The easy-to-follow explanations and examples give you a clear view of what containers are, how they work, and how to manage them using Podman’s powerful features. You’ll get a deep look at the Linux components Podman uses and even learn more about Docker along the way. You’ll especially appreciate author Dan Walsh’s unique insights into container security.
What's inside
• Develop and manage pods
• Key security concepts including SELinux and SECCOMP
• Use systemd to oversee a container’s lifecycle
• Keep your containers confined using Podman security
• Manage containerized applications on edge devices
• Install and run Podman on MacOS and Windows
About the reader
For developers or system administrators experienced with Linux and Docker.
About the author
Daniel Walsh is a senior distinguished engineer at Red Hat, and leads the team that created Podman.
Author(s): Daniel Walsh
Edition: 1
Publisher: Manning Publications
Year: 2023
Language: English
Commentary: Publisher's PDF
Pages: 312
City: Shelter Island, NY
Tags: Command Line; Security; Kubernetes; systemd; REST API; Podman; Containers; Rootless Containers
Podman in Action
brief contents
contents
preface
acknowledgments
about this book
Who should read this book?
How this book is organized: A roadmap
liveBook discussion forum
Author online
about the author
about the cover illustration
Part 1—Foundations
1 Podman: A next-generation container engine
1.1 About all these terms
1.2 A brief overview of containers
1.2.1 Container images: A new way to ship software
1.2.2 Container images lead to microservices
1.2.3 Container image format
1.2.4 Container standards
1.3 Why use Podman when you have Docker?
1.3.1 Why have only one way to run containers?
1.3.2 Rootless containers
1.3.3 Fork/exec model
1.3.4 Podman is daemonless
1.3.5 User-friendly command line
1.3.6 Support for REST API
1.3.7 Integration with systemd
1.3.8 Pods
1.3.9 Customizable registries
1.3.10 Multiple transports
1.3.11 Complete customizability
1.3.12 User-namespace support
1.4 When not to use Podman
Summary
2 Command line
2.1 Working with containers
2.1.1 Exploring containers
2.1.2 Running the containerized application
2.1.3 Stopping containers
2.1.4 Starting containers
2.1.5 Listing containers
2.1.6 Inspecting containers
2.1.7 Removing containers
2.1.8 exec-ing into a container
2.1.9 Creating an image from a container
2.2 Working with container images
2.2.1 Differences between a container and an image
2.2.2 Listing images
2.2.3 Inspecting images
2.2.4 Pushing images
2.2.5 podman login: Logging into a container registry
2.2.6 Tagging images
2.2.7 Removing images
2.2.8 Pulling images
2.2.9 Searching for images
2.2.10 Mounting images
2.3 Building images
2.3.1 Format of a Containerfile or Dockerfile
2.3.2 Automating the building of our application
Summary
3 Volumes
3.1 Using volumes with containers
3.1.1 Named volumes
3.1.2 Volume mount options
3.1.3 podman run - -mount command option
Summary
4 Pods
4.1 Running pods
4.2 Creating a pod
4.3 Adding a container to a pod
4.4 Starting a pod
4.5 Stopping a pod
4.6 Listing pods
4.7 Removing pods
Summary
Part 2—Design
5 Customization and configuration files
5.1 Configuration files for storage
5.1.1 Storage location
5.1.2 Storage drivers
5.2 Configuration files for registries
5.2.1 registries.conf
5.3 Configuration files for engines
5.4 System configuration files
Summary
6 Rootless containers
6.1 How does rootless Podman work?
6.1.1 Images contain content owned by multiple user identifiers (UIDs)
6.2 Rootless Podman under the covers
6.2.1 Pulling the image
6.2.2 Creating a container
6.2.3 Setting up the network
6.2.4 Starting the container monitor: conmon
6.2.5 Launching the OCI runtime
6.2.6 The containerized application runs until completion
Summary
Part 3—Advanced topics
7 Integration with systemd
7.1 Running systemd within a container
7.1.1 Containerized systemd requirements
7.1.2 Podman container in systemd mode
7.1.3 Running an Apache service within a systemd container
7.2 Journald for logging and events
7.2.1 Log driver
7.2.2 Events
7.3 Starting containers at boot
7.3.1 Restarting containers
7.3.2 Podman containers as systemd services
7.3.3 Distributing systemd unit files to manage Podman containers
7.3.4 Automatically updating Podman containers
7.4 Running containers in notify unit files
7.5 Rolling back failed containers after update
7.6 Socket-activated Podman containers
Summary
8 Working with Kubernetes
8.1 Kubernetes YAML files
8.2 Generating Kubernetes YAML files with Podman
8.3 Generating Podman pods and containers from Kubernetes YAML
8.3.1 Shutting down pods and containers based on a Kubernetes YAML file
8.3.2 Building images using Podman and Kubernetes YAML files
8.4 Running Podman within a container
8.4.1 Running Podman within a Podman container
8.4.2 Running Podman within a Kubernetes pod
Summary
9 Podman as a service
9.1 Introducing the Podman service
9.1.1 Systemd services
9.2 Podman-supported APIs
9.3 Python libraries for interacting with Podman
9.3.1 Using docker-py with the Podman API
9.3.2 Using podman-py with the Podman API
9.3.3 Which Python library should you use?
9.4 Using docker-compose with the Podman service
9.5 podman - -remote
9.5.1 Local connections
9.5.2 Remote connections
9.5.3 Setting up SSH on the client machine
9.5.4 Configuring a connection
Summary
Part 4—Container security
10 Security container isolation
10.1 Read-only Linux kernel pseudo filesystems
10.1.1 Unmasking the masked paths
10.1.2 Masking additional paths
10.2 Linux capabilities
10.2.1 Dropped Linux capabilities
10.2.2 Dropped CAP_SYS_ADMIN
10.2.3 Dropping capabilities
10.2.4 Adding capabilities
10.2.5 No new privileges
10.2.6 Root with no capabilities is still dangerous
10.3 UID isolation: User namespace
10.3.1 Isolating containers using the - -userns=auto flag
10.3.2 User-namespaced Linux capabilities
10.3.3 Rootless Podman with the - -userns=auto flag
10.3.4 User volumes with the - -userns=auto flag
10.4 Process isolation: PID namespace
10.5 Network isolation: Network namespace
10.6 IPC isolation: IPC namespace
10.7 Filesystem isolation: Mount namespace
10.8 Filesystem isolation: SELinux
10.8.1 SELinux type enforcement
10.8.2 SELinux Multi-Category Security separation
10.9 System call isolation seccomp
10.10 Virtual machine isolation
Summary
11 Additional security considerations
11.1 Daemon versus the fork/exec model
11.1.1 Access to the docker.sock
11.1.2 Auditing and logging
11.2 Podman secret handling
11.3 Podman image trust
11.3.1 Podman image signing
11.4 Podman image scanning
11.4.1 Read-only containers
11.5 Security in depth
11.5.1 Podman uses all security mechanisms simultaneously
11.5.2 Where should you run your containers?
Summary
Appendix A—Podman-related container tools
A.1 Skopeo
A.2 Buildah
A.2.1 Creating a working container from a base image
A.2.2 Adding data to a working container
A.2.3 Running commands in a working container
A.2.4 Adding content to a working container directly from the host
A.2.5 Configuring a working container
A.2.6 Creating an image from a working container
A.2.7 Pushing an image to a container registry
A.2.8 Building an image from Containerfiles
A.2.9 Buildah as a library
A.3 CRI-O: Container Runtime Interface for OCI containers
Appendix B—OCI runtimes
B.1 runc
B.2 crun
B.3 Kata
B.4 gVisor
Appendix C—Getting Podman
C.1 Installing Podman
C.1.1 macOS
C.1.2 Windows
C.1.3 Arch Linux and Manjaro Linux
C.1.4 CentOS
C.1.5 Debian
C.1.6 Fedora
C.1.7 Fedora-CoreOS, Fedora Silverblue
C.1.8 Gentoo
C.1.9 OpenEmbedded
C.1.10 openSUSE
C.1.11 openSUSE Kubic
C.1.12 Raspberry Pi OS arm64
C.1.13 Red Hat Enterprise Linux
C.1.14 Ubuntu
C.2 Building from source code
C.3 Podman Desktop
Summary
Appendix D—Contributing to Podman
D.1 Joining the community
D.2 Podman on github.com
Appendix E—Podman on macOS
E.1 Using podman machine
E.1.1 podman machine init
E.1.2 Podman machine SSH configuration
E.1.3 Starting the VM
E.1.4 Stopping the VM
Summary
Appendix F—Podman on Windows
F.1 First steps
F.1.1 Prerequisites
F.1.2 Installing Podman
F.2 Using podman machine
F.2.1 podman machine init
F.2.2 Podman machine SSH configuration
F.2.3 Starting the WSL 2 instance
F.2.4 Using podman machine commands
Summary
index
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
Y
Z
