$30 off During Our Annual Pro Sale. View Details »

oSLO 2020 - Getting started with Podman

Ish Sookun
October 15, 2020

oSLO 2020 - Getting started with Podman

Introductory presentation on Podman at the virtual openSUSE + LibreOffice Conference 2020.

Ish Sookun

October 15, 2020
Tweet

More Decks by Ish Sookun

Other Decks in Technology

Transcript

  1. Getting started with Podman

    View Slide

  2. Linux namespaces

    View Slide

  3. Overview of Linux namespaces
    A namespace wraps a global system resource in an
    abstraction that makes it appear to the processes
    within the namespace that they have their own
    isolated instance of the global resource. Changes
    to the global resource are visible to other
    processes that are members of the namespace,
    but are invisible to other processes. One use of
    namespaces is to implement containers.
    $ man namespaces
    Demo:
    $ sudo unshare -u /bin/bash
    Namespace Isolates
    Cgroup Cgroup root directory
    IPC System V IPC, Posix Message queues
    Network Network devices, stacks, ports, etc.
    Mount Mount points
    PID Process IDs
    User User and group IDs
    UTS Hostname and NIS domain name

    View Slide

  4. Listing Linux namespaces
    The command lsns lists information about all the
    currently accessible namespaces or about the
    given namespace.
    Column Description
    NS Namespace identifier (inode number)
    TYPE Kind of namespace
    PATH Path to the namespace
    NPROCS Number of processes in the
    namespace
    PID Process ID
    PPID Parent Process ID
    USER Username of the PID
    COMMAND Command line of the PID

    View Slide

  5. Container runtimes
    Container runtimes can be categorized as being
    low-level or high-level.
    Low-level container runtimes would usually focus
    on just running containers, e.g runc.
    High-level container runtimes provide additional
    features, e.g manage images and containers.
    Nevertheless, running a container is often all that is
    required to call “something” a container runtime.
    ● containerd
    ● Docker
    ● Kata Containers
    ● LXD
    ● rkt
    ● runc
    ● Others…
    (Mentioned in alphabetical order)

    View Slide

  6. What is a container composed of?

    View Slide

  7. Skopeo
    Skopeo is a command line utility used to interact with
    local and remote container images and container image
    registries.
    Skopeo can copy container images between various
    containers image stores, converting them as necessary.
    $ skopeo inspect docker://opensuse/leap
    $ mkdir nginx
    $ skopeo copy docker://nginx:latest dir:nginx
    $ tree nginx

    View Slide

  8. Peeking further into the container image
    The container image contains several files among which are compressed layers containing files that
    provide the necessary environment for a running container. Not clear enough?
    Okay, fine. Let’s decompress one layer to see what it contains.
    $ mkdir b8f2
    $ tar -C b8f2 -xf b8f262c62ec67f02536f49654de586c022043652bbb6bbf76a8dab1542627a8d
    $ ls -lh b8f2

    View Slide

  9. Podman
    Podman (Pod Manager) is a fully featured container
    engine that is a simple daemonless tool. Podman
    provides a Docker-CLI comparable command line that
    eases the transition from other container engines and
    allows the management of pods, containers and images.
    Podman uses Buildah internally to create container
    images. Both tools share image (not container) storage,
    hence each can use or manipulate images (but not
    containers) created by the other.
    Simple demo:
    $ podman run --rm -d -p 8080:80 nginx
    $ curl localhost:8080

    View Slide

  10. Where does Podman store container information?
    When running Podman as root, the default location
    for storage is /var/lib/containers/storage.
    Users cannot use this directory when running as
    non root, so Podman creates the storage by
    default in $HOME/.local/share/containers.
    $ podman info
    Running the above command produces an output
    displaying some key information about Podman
    configuration including the path to container
    storage.

    View Slide

  11. Container Image Registries
    Before we experiment further with containers we need to understand a few basic things about registries.
    What happened when we ran the below command earlier?
    $ podman run --rm -d -p 8080:80 nginx
    Podman first checks whether there is a local image tagged “nginx” to spin a container from. If it is not
    present on the system it will look for it in some “remote location”, pull the image and then run the
    container. The action of pulling a container can be independent of running a container, e.g:
    $ podman pull nextcloud
    The remote location which we referred to is called a container registry.
    Local images can be listed by executing:
    $ podman images

    View Slide

  12. Container Image Registries
    Information about image registries is stored in /etc/containers/registries.conf. It is a system-wide
    configuration file for container image registries. The file format is TOML. More information about the
    configuration can be found in the man page.
    $ man containers-registries.conf
    The most important thing about this config file is the specification of registry urls.
    [registries.search]
    registries = ["registry.opensuse.org", "docker.io"]
    The above list contains urls of container registries where images will be searched and downloaded from.
    If the list contains more that one url they should be comma separated.

    View Slide

  13. Container Image Registries
    You may specify from which registry Podman should pull an image.
    $ podman pull registry.opensuse.org/opensuse/nginx:latest
    $ podman pull registry.opensuse.org/opensuse/nginx:1.17.9
    Skopeo can be used to find all the tags for a specific image.
    $ skopeo inspect docker://registry.opensuse.org/opensuse/nginx
    Look for the RepoTags and you will find the different Nginx version numbers for which a container
    image was built.

    View Slide

  14. Podman flags
    $ podman run --rm -d --name webserver -h web \
    -v /home/ish/summit2019:/usr/share/nginx/html \
    -p 8080:80 nginx
    We are running a container based on the nginx image, having name as webserver and hostname set to
    web. It will map its port 80 to the host’s port 8080 and mount a volume to the path of the Nginx virtual
    host root directory.
    We can enter the container by executing the following.
    $ podman exec -it webserver bash
    The -it flag specifies that STDIN should be kept open and a pseudo-TTY attached. You can experiment
    further with the different flags.
    $ podman run --help

    View Slide

  15. Printing information about containers
    $ podman ps -a
    Displays all containers, default shows only running containers.
    $ podman ps -a -s
    Displays the total file size.
    $ podman ps --ns -a
    Displays namespace information.
    $ podman ps -a -p
    Displays the pods the containers are associated with.

    View Slide

  16. Display a container or image's configuration
    $ podman inspect container_name
    This displays the low-level information on containers and images identified by name or ID. By default, this
    will render all results in a JSON array.
    $ podman images
    REPOSITORY TAG IMAGE ID CREATED SIZE
    docker.io/library/nginx latest f949e7d76d63 2 days ago 130 MB
    $ podman inspect f949e7d76d63

    View Slide

  17. Podman as a Systemd service
    Podman wasn’t designed to manage containers
    start-up order or failed containers recovery.
    A Systemd unit file on the host can have the host
    automatically start, stop, check the status, and
    manage a container as a regular systemd service.
    We create a Systemd unit file in:
    /etc/systemd/system/webserver.service
    We then enable the service as follows:
    $ sudo systemctl enable webserver
    $ sudo systemctl start webserver
    [Unit]
    Description=Podman webserver
    After=network.target
    [Service]
    Type=simple
    Restart=always
    ExecStart=/usr/bin/podman run --rm -d --name
    webserver -h web -v
    /home/ish/summit2019:/usr/share/nginx/html -p
    8080:80 nginx
    ExecStop=/usr/bin/podman stop webserver
    [Install]
    WantedBy=multi-user.target

    View Slide

  18. Understanding Pods
    The term pod originates from the Kubernetes project where a pod relates to a unit of deployment, i.e an
    instance of an application. A pod may contain a single or multiple containers. In a multi-container pod all
    the containers can communicate with each other over localhost since they share the same network
    namespace.
    An empty pod will contain one container by default which is called the “infra container”.
    $ podman pod create --name small-pod
    $ podman pod ps
    POD ID NAME STATUS CREATED # OF CONTAINERS INFRA ID
    0173c61afadd small-pod Created About a minute ago 1 613f59088260
    An infra container is a lightweight container used to coordinate the shared kernel namespace of a pod.

    View Slide

  19. Running containers inside a Pod
    First we create a pod and provide details such as ports that need to be exposed or volumes that need to
    be attached. Then, during the creation of a container we need not specific port or volume related
    information but simply specify the pod name using --pod.
    $ podman pod create --name webapp -p 8080:80
    $ podman run -dt --pod webapp --name nginx opensuse/nginx
    $ podman run -dt --pod webapp --name mariadb opensuse/mariadb
    $ podman pod ps
    POD ID NAME STATUS CREATED # OF CONTAINERS INFRA ID
    7bd9c415ec6e webapp Running 7 minutes ago 3 626e84d6e7e4

    View Slide

  20. A quick note about conmon
    Conmon is a monitoring program and
    communication tool between podman and runc for
    a single container.
    $ podman ps -a --pod
    $ ps -ef `pidof conmon`
    Compare the output of the above commands to
    relate one conmon process for every running
    container.

    View Slide

  21. All text and image content in this document is licensed under the Creative Commons Attribution-Share Alike 4.0 License (unless
    otherwise specified). “LibreOffice” and “The Document Foundation” are registered trademarks. Their respective logos and icons are
    subject to international copyright laws. The use of these thereof is subject to trademark policy.
    Finish
    Thank You

    View Slide