VOOZH about

URL: https://www.geeksforgeeks.org/devops/what-is-a-podman-container/

⇱ What is a Podman Container? - GeeksforGeeks

  • Courses
  • Tutorials
  • Interview Prep

What is a Podman Container?

Last Updated : 26 Jul, 2024

Podman (Pod Manager) is an open-source tool developed by Red Hat that helps developers containerize their applications. Compared to Docker, Podman is light and lean, eliminating resource overhead from the central daemon, and allowing containers to start faster and with fewer resources. This efficiency is critical in contexts where resource efficiency and rapidity are paramount. Unlike Docker, which relies on a central daemon (docker daemon), Podman offers a daemonless architecture, providing no single point of failure.

Benefits of Podman Containers

  1. Daemonless Architecture:
    • No Central Daemon: Podman is lighter than Docker as it does not use a central daemon, reducing potential points of failure.
    • Direct Management: Containers are controlled directly, offering higher control over their lifecycle.
  2. Rootless Containers:
    • Enhanced Security: Running containers without root access minimizes the risk of privilege escalation attacks.
    • User-Level Management: Containers can be managed at the user level, enforcing better security procedures without needing privileged information.
  3. Kubernetes Compatibility:
    • Pod Concept: Similar to Kubernetes pods, Podman allows grouping multiple containers that share a common network namespace.
    • Easy Transition: Podman applications can be easily ported to Kubernetes, improving the deployment process in production environments.
  4. Docker Compatibility:
    • Common CLI: Podman's CLI is largely compatible with Docker, allowing users to migrate with minimal adjustments.
    • Interoperability: Podman can create and manage Docker-format containers and images.

Key Features

  1. Daemonless Architecture: Podman operates without a central daemon, enhancing security and efficiency. Containers are started and managed directly by the Podman command line interface (CLI).
  2. Rootless Operation: Podman can run containers as a root or unprivileged user, providing a more secure environment by reducing the need for root access.
  3. Kubernetes-Like Pods: Pods in Podman group several containers that share network and storage resources, similar to Kubernetes pods.
  4. Compatibility with Docker CLI: Most Docker CLI commands and scripts can be used with Podman without modification, easing the transition for users switching from Docker.
  5. Container Image Management: Podman uses the same image formats as Docker, allowing easy pulling of images from Docker Hub or other container registries.

Understanding Pods and Infra Containers

What is an Infra Container?

Infra containers are lightweight containers created by Podman to hold a pod's state, including shared namespaces like network, PID, and IPC. They ensure the stability and resource management of the pod, maintaining the pod environment even if application containers restart.

Example: Setting Up a Pod with an Infra Container in Podman

  • Create a Pod with an Infra Container:
podman pod create --name mypod

This command creates a pod named mypod with an infra container to manage the pod's network namespace and other shared resources.

  • Adding Containers to the Pod:

Let's add two containers inside the pod. These will share the network namespace that will be managed by the infra container.

podman run -dt --pod mypod --name webserver nginx

podman run -dt --pod mypod --name database postgres

The first command deploys an Nginx web server container inside mypod. The next command creates a PostgreSQL database container in the same pod.

  • Networking and Resource Sharing:
  • podman exec -it webserver ping database

This command allows the webserver container to ping the database container using the shared network namespace.


podman exec -it webserver ping database

What is Conmon?

Conmon (container monitor) is a process monitoring application that observes the lifecycle of container processes, handles logging, proxies signals, and captures exit statuses.

Essential Tasks of Conmon:

  1. Process Monitoring: Ensures container processes start, run, and exit correctly.
  2. Logging: Captures and handles container logs.
  3. Signal Proxying: Proxies signals from the parent process to the container process.
  4. Exit Status: Captures and reports the container process's exit status.
  5. Podman Installation for Windows

Installing Podman on Windows

While containers are inherently Linux-based, Podman can also be used on Mac and Windows. For Windows, it involves using the Windows Subsystem for Linux (WSL) and the Podman machine command.

Installation Steps:

  1. Install Windows Terminal:
    winget install Microsoft.WindowsTerminal

Command:

winget install Microsoft.WindowsTerminal

Example:

πŸ‘ winget install Microsoft.WindowsTerminal

Installation

1. To begin the installation process of the Windows Podman client, the first task requires is to download the Windows installer of Podman. Naturally, every Podman release comes with a Windows installer, which can be downloaded from podman. io.

Select Podman CLI for Windows

πŸ‘ Select Podman CLI for Windows

Click on Install

πŸ‘ Install

Restart your computer by clicking restart.

πŸ‘ Restart

After restart WSL Kernel Installation will start and installation will be completed.

πŸ‘ Podman
πŸ‘ Podman

Podman Container Commands:

  1. Podman Machine Creation:
πŸ‘ Podman machine init

podman machine start command

podman machine init

After podman machine init process completes machine can be started using following command.

podman machine start

Example:

πŸ‘ jpeg-optimizer_resize-1720550901280182799Screenshot20240709203532start

Running a Container:

podman run ubi8-micro date

Setting Rootful or Rootless:

podman machine stop 
podman machine set --rootful
podman machine set --rootful=false
πŸ‘ jpeg-optimizer_resize-17205514391448244220Screenshot20240709203825datestartcontainer

Example:

πŸ‘ jpeg-optimizer_resize-1720551988896241019Screenshot20240709204142stop

podman machine set --rootful=false

Example:

πŸ‘ jpeg-optimizer_resize-1720551988896241019Screenshot20240709204142stop
πŸ‘ jpeg-optimizer_resize-17205522031901104378Screenshot20240709204221rootless

Podman machine ls command

Use the podman machine ls command to view a list of all available podman machine instances along with their current resource usage.

podman machine ls

Example:

πŸ‘ jpeg-optimizer_resize-1720552492340366441Screenshot20240709204657podmanmachineinstance

Access the embedded WSL distribution:

podman machine ssh

Example:

πŸ‘ jpeg-optimizer_resize-17205527622042837395Screenshot20240709205450startvm

Podman version

podman --version

Example:

πŸ‘ jpeg-optimizer_resize-17205529832059254446Screenshot20240709205956version

Stop command

The machine is halted by using the podman machine stop command.

podman machine stop

Example:

πŸ‘ jpeg-optimizer_resize-17205531672035645663Screenshot20240709220309stop

rm command

Using podman machine rm command the machine can be removed.

podman machine rm

Example:

πŸ‘ jpeg-optimizer_resize-172055344778615168Screenshot20240709220337rm

Benefits Of Podman Container


Run Rootless Containers: Reduce security risks by running containers without root privileges.Use-Cases of Podman

  1. Optimize Capabilities: Use --cap-drop and --cap-add flags to limit container capabilities.
  2. Optimize Images: Use lightweight, secure images to minimize attack surfaces.
  3. Use Volumes Wisely: Manage persistent data with volumes or bind mounts.
  4. Regular Updates: Keep Podman and dependencies up-to-date with the latest security patches and features.

Differences between Podman and Docker

Feature

Podman

Docker

Daemon

It has Daemonless architecture and runs in rootless mode

It requires a running daemon (dockerd)

Rootless Operation

Yes, it supports running as non-root

It has limited rootless support

CLI Commands

It s compatible with Docker CLI

Docker-specific commands

Container Runtime

It uses CRI-O or other runtimes

It uses containerd as its runtime

Systemd Integration

It has better integration with systemd

It requires additional configuration

Kubernetes Support

It uses CRI-O for Kubernetes

It uses containerd, supports Kubernetes

Image Management

It directly manipulates OCI images

It manages images via Docker daemon

Networking

It uses CNI plugins for networking

It has built-in networking via dockerd

Security

It is focused on enhanced security

It is secure, but daemon introduces attack surface

Compatibility

It is compatible with Docker containers

It has native support for Docker containers

Installation

It us typically installed separately

It is often bundled with Docker Compose, Swarm, etc.

API

No API, direct command execution

REST API provided by Docker daemon

Resource Management

It is managed by the kernel, cgroups

It is managed by Docker daemon

Best Practices with Podman

1.Run Rootless Containers

Reduce security riskβ€”most containers should not be run as root. To reduce the potential exposure to privilege escalation attacks, Podman fully supports running rootless.

2. Capabilities in a Boundary

The `--cap-drop` and `--cap-add` flags are available to restrict only those container capabilities that your deployment scenario requires. This helps reduce the attack surface by providing only what is truly required.

3. Optimizing Images

Run only a few images in containers to minimize attack surfaces and maximize efficiency. Your images must be light and secure; hence, clear the extra equipment and files.

4.Use Volumes Wisely

Manage persistent data with volumes. Another good development practice is to use lemma named volumes or bind mounts for the persistence of data across container restarts. This helps in managing data and makes containers stateless.

5. Ugrade regularly

Keep Podman and the dependencies on top of the latest updates. Doing this ensures you are running with the latest security patches and features in place. Regular updating guarantees that you are running the most secure and full-featured version of the software.

Troubleshooting

Common Issues and Solutions:

  • Version Validation: Ensure you're running the latest version of Podman.
podman version
  • Rootless Containers Cannot Ping Hosts: Enable unprivileged pings on the host:
sysctl -w "net.ipv4.ping_group_range=0 2000000"
  • Permission Denied: Specify a container storage path outside a noexec home directory by editing the storage.conf file.
  • Missing newuidmap: Install a compatible version of shadow-utils.

Conclusion

Podman offers a robust and secure alternative to Docker for container management, featuring a daemonless architecture, enhanced security with rootless containers, Kubernetes compatibility, and Docker interoperability. Whether you're transitioning from Docker or starting fresh, Podman provides a flexible and efficient solution for managing your containerized applications.

Comment
Article Tags:
Article Tags: