This article will serve as notes on container management. This article will not delve into containers in RHEL-like systems as it is up to the reader to research about it. This article will see how to check container tools, inspect images, download and run. Also removing a container and images as well as how to generate root and rootless container which can be controlled via systemd. You can register for developer account with Redhat to access their RHEL machines and docker registry. This article is written based on Ashgar Ghori's updated book on preparing for RHEL RHCSA.
- Install necessary tools
sudo dnf module install container-tools
- Login to
podman login registry.redhat.io
- Search, Examine, Download and Remove an Image
podman search registry.redhat.io/rhel8/mysql
This will provide a couple of output.
skopeo inspect registry.redhat.io/rhel8/mysql-80
Above command will inspect the images and list out versions available and other relevant information.
podman pull docker://registry.redhat.io/rhel8/mysql-80
This will download the latest
MySQLimage from provided url.
This will display the the images stored in localhost.
podman inspect mysql-80
This will show the image details in localhost
podman rmi mysql-80
This will remove the image from localhost, verify by running
podman imagesand you will get empty result.
Basic Container Management
Run, Interact and Remove a Named Container
podman run -ti --name rhel8-base-os ubi8
This will run a container named rhel8-base-os from the universal base image for RHEL8.
-tiis for terminal and interaction. This basically means you will drop into the container's shell for interaction with the container. Go ahead and run a few commands. Type
exitto quit the container
podman exec rhel8-base-os cat /etc/redhat-release
This will to execute the command
cat /etc/redhat-releasefrom the container we downloaded in current terminal. The key is the
execsubcommand. This command will fail initially, so you need to start the container using
podman start rhel8-base-osand then run the initial command.
podman attach rhel8-base-os
This command will connect to the container we created.
podman rm rhel8-base-oswill delete the running container.
podman run --rm ubi8 lswill download Universal Base 8 image, run the container with commands passed and remove it.
Advanced Container Management
podman -dp 10000:80 --name httpd httpd-24will map port 10000 to port 80 and run in detached mode. In order to run this command you will need to pull httpd-24 images from registry.redhat.io.
podman port httpdwill show the port mapping for the container.
podman stop httpdwill stop the container. You can verify the container stopped by issuing
podman ps -a.
podman run -it -e HISTSIZE -e SECRET="tryhackme" --name rhel8 ubi8. This will set the environment variables for the container then run the container and fall into container's shell. You can then verify the environment variables set.
podman run --name rhel8 -v /host_data:/container_data:Z -it ubi8. Before running this command, create and give 777 permission for /host_data. the -v flag will attach a mount point to the container. The :Z will ensure that correct SELinux context is applied. View the /container_data in the container to see if it is created with correct SELinux type. You can also create a file in /container_data, exit and view the SELinux context in /host_data. This shows it is inherited.
podman run --name rhel8 -v /host_data:/container_data2:Z -it ubi8. This is to show that the data created during point 5 is persistent across containers.
Configure a Root container as a systemd Service
podman run -dt --name root-container ubi8. This will run the container in detached mode.
podman generate systemd --new --name root-container > /etc/systemd/system/root-container.service. This will generate required systemd configuration and store it in the directory specified. Now stop and remove the container using
systemctl daemon-reload. Enable the container by running
systemctl enable --now root-container. You can see the container running as systemd service by issuing
systemctl status root-container. You can also restart the systemd service by issuing
systemctl restart root-container.
Configure a Rootless Container as a systemd Service
This section assumes that you have created rootless container using podman command.
mkdir ~/.config/systemd/user -p. This is to create directory to store the service unit file.
podman generate systemd --new --name rootless-container > ~/.config/systemd/user/rootless-container.service. This will create the service unit file under the directory we created earlier. Run
systemctl --user daemon-reloadto load all the user related systemd files. Now run
systemctl --user enable --now rootless-containerwill enable and run the rootless container as systemd service confined to the user.
- The issue with rootless container is that as the user logs out the container will get stopped. In order to make it persistent, as in run the container even if the user has logged out run this command