Podman in Action
Podman in Action describes how users can build containers, manage containers, and run containers. My goal in writing it was to explain how easy it is to transfer skills you might have learned in Docker to Podman as well as how easy it is to use Podman if you have never used a container engine before. Podman in Action also teaches you how to use advanced features like Podman pods and guides you on your journey toward building Podman applications ready to run Podman on the edge of or Podman inside Kubernetes. Finally, Podman in Action explains all of the Linux security features of the Linux kernel used to isolate containers from the system as well as from other containers.
brief contents
Part 1. Foundations
1 Podman: A next-generation container engine
2 Command line
3 Volumes
4 Pods
Part 2. Design
5 Customization and configuration files
6 Rootless containers
Part 3. Advanced topics
7 Integration with systemd
8 Working with Kubernetes
9 Podman as a service
Part 4. Container security
10 Security container isolation
11 Additional security considerations
Appendix A. Podman-related container tools
Appendix B. OCI runtimes
Appendix C. Getting Podman
Appendix D. Contributing to Podman
Appendix E. Podman on macOS
Appendix F. Podman on Windows
contents
Front matter
preface
acknowledgments
about this book
about the author
about the cover illustration
Part 1. Foundations
1 Podman: A next-generation container engine
1.1 About all these terms
1.2 A brief overview of containers
Container images: A new way to ship software
Container images lead to microservices
Container image format
Container standards
1.3 Why use Podman when you have Docker?
Why have only one way to run containers?
Rootless containers
Fork/exec model
Podman is daemonless
User-friendly command line
Support for REST API
Integration with systemd
Pods
Customizable registries
Multiple transports
Complete customizability
User-namespace support
1.4 When not to use Podman
2 Command line
2.1 Working with containers
Exploring containers
Running the containerized application
Stopping containers
Starting containers
Listing containers
Inspecting containers
Removing containers
exec-ing into a container
Creating an image from a container
2.2 Working with container images
Differences between a container and an image
Listing images
Inspecting images
Pushing images
podman login: Logging into a container registry
Tagging images
Removing images
Pulling images
Searching for images
Mounting images
2.3 Building images
Format of a Containerfile or Dockerfile
Automating the building of our application
3 Volumes
3.1 Using volumes with containers
Named volumes
Volume mount options
podman run - -mount command option
4 Pods
4.1 Running pods
4.2 Creating a pod
4.3 Adding a container to a pod
4.4 Starting a pod
4.5 Stopping a pod
4.6 Listing pods
4.7 Removing pods
Part 2. Design
5 Customization and configuration files
5.1 Configuration files for storage
Storage location
Storage drivers
5.2 Configuration files for registries
registries.conf
5.3 Configuration files for engines
5.4 System configuration files
6 Rootless containers
6.1 How does rootless Podman work?
Images contain content owned by multiple user identifiers (UIDs)
6.2 Rootless Podman under the covers
Pulling the image
Creating a container
Setting up the network
Starting the container monitor: conmon
Launching the OCI runtime
The containerized application runs until completion
Part 3. Advanced topics
7 Integration with systemd
7.1 Running systemd within a container
Containerized systemd requirements
Podman container in systemd mode
Running an Apache service within a systemd container
7.2 Journald for logging and events
Log driver
Events
7.3 Starting containers at boot
Restarting containers
Podman containers as systemd services
Distributing systemd unit files to manage Podman containers
Automatically updating Podman containers
7.4 Running containers in notify unit files
7.5 Rolling back failed containers after update
7.6 Socket-activated Podman containers
8 Working with Kubernetes
8.1 Kubernetes YAML files
8.2 Generating Kubernetes YAML files with Podman
8.3 Generating Podman pods and containers from Kubernetes YAML
Shutting down pods and containers based on a Kubernetes YAML file
Building images using Podman and Kubernetes YAML files
8.4 Running Podman within a container
Running Podman within a Podman container
Running Podman within a Kubernetes pod
9 Podman as a service
9.1 Introducing the Podman service
Systemd services
9.2 Podman-supported APIs
9.3 Python libraries for interacting with Podman
Using docker-py with the Podman API
Using podman-py with the Podman API
Which Python library should you use?
9.4 Using docker-compose with the Podman service
9.5 podman - -remote
Local connections
Remote connections
Setting up SSH on the client machine
Configuring a connection
Part 4. Container security
10 Security container isolation
10.1 Read-only Linux kernel pseudo filesystems
Unmasking the masked paths
Masking additional paths
10.2 Linux capabilities
Dropped Linux capabilities
Dropped CAP_SYS_ADMIN
Dropping capabilities
Adding capabilities
No new privileges
Root with no capabilities is still dangerous
10.3 UID isolation: User namespace
Isolating containers using the - -userns=auto flag
User-namespaced Linux capabilities
Rootless Podman with the - -userns=auto flag
User volumes with the - -userns=auto flag
10.4 Process isolation: PID namespace
10.5 Network isolation: Network namespace
10.6 IPC isolation: IPC namespace
10.7 Filesystem isolation: Mount namespace
10.8 Filesystem isolation: SELinux
SELinux type enforcement
SELinux Multi-Category Security separation
10.9 System call isolation seccomp
10.10 Virtual machine isolation
11 Additional security considerations
11.1 Daemon versus the fork/exec model
Access to the docker.sock
Auditing and logging
11.2 Podman secret handling
11.3 Podman image trust
Podman image signing
11.4 Podman image scanning
Read-only containers
11.5 Security in depth
Podman uses all security mechanisms simultaneously
Where should you run your containers?
Appendix A. Podman-related container tools
Appendix B. OCI runtimes
Appendix C. Getting Podman
Appendix D. Contributing to Podman
Appendix E. Podman on macOS
Appendix F. Podman on Windows
index