Containers Cheatsheet

Written by Michael Anckaert - Published on - Posted in RHCA

Introduction

The podman command is used to manage containers on RHEL. This is similar to the docker command. Both podman and docker are container runtimes.

Application containers: once the application is finished, the container is done.

System containers: are used as the foundation to build custom images, they don't come with a standard application.

Container requirements

Containers on RHEL 8

Containers are compatible (Open Containers Initiative). Containers created on Docker can be run by Podman.

podman: manage containers and images buildah: create new container images skopeo: inspect, delete, copy and sign images

Rootless Containers

If containers run a process on a priviliged port, they need root privileges. In podman you can run containers as non-root users, aka: Rootless Containers.

Scaling Containers

You need Container Orchestration to have features such as scalability, load balancing, etc.

Running a container

yum module install container-tools

podman run -d nginx

Red Hat registries: registry.redhat.io for official Red Hat products, registry.connect.redhat.com for third-party products.

To get a specific container: use the FQDN: podman pull registry.access.redhat.com/ubi8/ubi:latest

Note: UBI = Universal Base Image, based on RHEL 8.

podman pull to pre-pull the image from the registry to the local system.

podman run pulls the container if required and run it.

podman run -d detached mode podman run -it interactive mode

Use option --rm to remove the container after using it.

Detach from a container tty using CTRL-p, CTRL-q. Exit from the primary container application using exit.

Managing images

podman login

Registries are specified in the file /etc/containers/registries.conf

podman search searches all registries.

Inspect images using the skopeo tool. skopeo inspect docker://registry.redhat.io/ubi8/ubi. Use podman to inspect images that are locally available: podman images and podman inspect registry.redhat.io/ubi8/ubi.

Get a list of all images using podman images.

Remove images using the podman rmi command.

Use podman logs <containername> to view container logs.

Managing container ports

podman run -d -p 8000:80: map host port 8000 to container port 80. podman port -a shows all current container port mappings

firewall-cmd --add-port=8000/tcp permanent to open a port

Managing environment variables

Use -e VAR=value while starting a container to pass environment values.

Managing container state

podman ps shows all currently running containers

podman ps -a shows all containers

podman stop <container> gracefully stop container using SIGTERM podman kill <container> stop container using SIGKILL podman rm <container> remove container but keep image

Run commands in a container

podman exec <container> <command> runs a command inside a running container podman exec -it <container> /bin/bash runs interactive shell inside a running container

Rootless and Root containers

Rootless containers cannot bind to a privileged port and do NOT have an IP address. They need port forwarding.

To start a Root container you need to run podman with sudo.

Attaching storage to Containers

Container storage is ephemeral. Modifications made to the container are lost if the container is removed. Persistent storage makes use of bind mounts.

Ensure the user account has access to the host directory, set the SELinux context type to container_file_t.

sudo mkdir /dbfiles
sudo chmod o+w /dbfiles
sudo semanage fcontext -a -t container_file_t "/dbfiles(/.*)?"
podman run -d --name mydb -v /dbfiles:/var/lib/mysql:Z

Manage containers as services

Configure Systemd to start your containers. For this we will create systemd user unit files for rootless containers and manage them with systemctl.

If K8S or OpenShift is used, containers will be automatically started by default.

Systemd user services are started when a user session is openend. Use loginctl enable-linger to start user services with the system. loginctl enable-linger <user> and loginctl show-user <user>.

Steps:

To generate a service file for a root container, do it from the /etc/systemd/system directory.

Create user unit files in ~/.config/systemd/user, manage them using systemctl --user. systemctl --user daemon-reload systemctl --user enable myapp.service systemctl --user start myapp.service