"RHEL RHCSA Container notes"

Published: Sat 23 April 2022

In content.

This article will serve as notes on container management. This article will not delve into containers in RHEL-like systems as it is up to the reader to research about it. This article will see how to check container tools, inspect images, download and run. Also removing a container and images as well as how to generate root and rootless container which can be controlled via systemd. You can register for developer account with Redhat to access their RHEL machines and docker registry. This article is written based on Ashgar Ghori's updated book on preparing for RHEL RHCSA.

Image Management

  1. Install necessary tools
    sudo dnf module install container-tools
  2. Login to registry.redhat.io
    podman login registry.redhat.io
  3. Search, Examine, Download and Remove an Image
    podman search registry.redhat.io/rhel8/mysql
    This will provide a couple of output.
  4. skopeo inspect registry.redhat.io/rhel8/mysql-80
    Above command will inspect the images and list out versions available and other relevant information.
  5. podman pull docker://registry.redhat.io/rhel8/mysql-80
    This will download the latest MySQL image from provided url.
  6. podman images
    This will display the the images stored in localhost.
  7. podman inspect mysql-80
    This will show the image details in localhost
  8. podman rmi mysql-80
    This will remove the image from localhost, verify by running podman images and you will get empty result.

Basic Container Management

Run, Interact and Remove a Named Container

  1. podman run -ti --name rhel8-base-os ubi8
    This will run a container named rhel8-base-os from the universal base image for RHEL8. -ti is for terminal and interaction. This basically means you will drop into the container's shell for interaction with the container. Go ahead and run a few commands. Type exit to quit the container
  2. podman exec rhel8-base-os cat /etc/redhat-release
    This will to execute the command cat /etc/redhat-release from the container we downloaded in current terminal. The key is the exec subcommand. This command will fail initially, so you need to start the container using podman start rhel8-base-os and then run the initial command.
  3. podman attach rhel8-base-os
    This command will connect to the container we created.
  4. podman rm rhel8-base-os will delete the running container.
  5. podman run --rm ubi8 ls will download Universal Base 8 image, run the container with commands passed and remove it.

Advanced Container Management

  1. podman -dp 10000:80 --name httpd httpd-24 will map port 10000 to port 80 and run in detached mode. In order to run this command you will need to pull httpd-24 images from registry.redhat.io.
  2. podman port httpd will show the port mapping for the container.
  3. podman stop httpd will stop the container. You can verify the container stopped by issuing podman ps -a.
  4. podman run -it -e HISTSIZE -e SECRET="tryhackme" --name rhel8 ubi8 . This will set the environment variables for the container then run the container and fall into container's shell. You can then verify the environment variables set.
  5. podman run --name rhel8 -v /host_data:/container_data:Z -it ubi8 . Before running this command, create and give 777 permission for /host_data. the -v flag will attach a mount point to the container. The :Z will ensure that correct SELinux context is applied. View the /container_data in the container to see if it is created with correct SELinux type. You can also create a file in /container_data, exit and view the SELinux context in /host_data. This shows it is inherited.
  6. podman run --name rhel8 -v /host_data:/container_data2:Z -it ubi8 . This is to show that the data created during point 5 is persistent across containers.
Configure a Root container as a systemd Service
  1. podman run -dt --name root-container ubi8 . This will run the container in detached mode.
  2. podman generate systemd --new --name root-container > /etc/systemd/system/root-container.service . This will generate required systemd configuration and store it in the directory specified. Now stop and remove the container using podman and run systemctl daemon-reload. Enable the container by running systemctl enable --now root-container. You can see the container running as systemd service by issuing systemctl status root-container. You can also restart the systemd service by issuing systemctl restart root-container .
Configure a Rootless Container as a systemd Service

This section assumes that you have created rootless container using podman command.

  1. mkdir ~/.config/systemd/user -p . This is to create directory to store the service unit file.
  2. podman generate systemd --new --name rootless-container > ~/.config/systemd/user/rootless-container.service . This will create the service unit file under the directory we created earlier. Run systemctl --user daemon-reload to load all the user related systemd files. Now run systemctl --user enable --now rootless-container will enable and run the rootless container as systemd service confined to the user.
  3. The issue with rootless container is that as the user logs out the container will get stopped. In order to make it persistent, as in run the container even if the user has logged out run this command loginctl enable-linger.