Chapter 25. Running special container images
You can run some special types of container images. Some container images have built-in labels called runlabels that enable you to run those containers with preset options and arguments. The podman container runlabel <label>
command, you can execute the command defined in the <label>
for the container image. Supported labels are install
, run
and uninstall
.
25.1. Opening privileges to the host
There are several differences between privileged and non-privileged containers. For example, the toolbox container is a privileged container. Here are examples of privileges that may or may not be open to the host from a container:
-
Privileges: A privileged container disables the security features that isolate the container from the host. You can run a privileged container using the
podman run --privileged <image_name>
command. You can, for example, delete files and directories mounted from the host that are owned by the root user. -
Process tables: You can use the
podman run --privileged --pid=host <image_name>
command to use the host PID namespace for the container. Then you can use theps -e
command within a privileged container to list all processes running on the host. You can pass a process ID from the host to commands that run in the privileged container (for example,kill <PID>
). -
Network interfaces: By default, a container has only one external network interface and one loopback network interface. You can use the
podman run --net=host <image_name>
command to access host network interfaces directly from within the container. -
Inter-process communications: The IPC facility on the host is accessible from within the privileged container. You can run commands such as
ipcs
to see information about active message queues, shared memory segments, and semaphore sets on the host.
25.2. Container images with runlabels
Some Red Hat images include labels that provide pre-set command lines for working with those images. Using the podman container runlabel <label>
command, you can use the podman
command to execute the command defined in the <label>
for the image.
Existing runlabels include:
- install: Sets up the host system before executing the image. Typically, this results in creating files and directories on the host that the container can access when it is run later.
- run: Identifies podman command line options to use when running the container. Typically, the options will open privileges on the host and mount the host content the container needs to remain permanently on the host.
- uninstall: Cleans up the host system after you finish running the container.
25.3. Running rsyslog with runlabels
The rhel8/rsyslog
container image is made to run a containerized version of the rsyslogd
daemon. The rsyslog
image contains the following runlabels: install
, run
and uninstall
. The following procedure steps you through installing, running, and uninstalling the rsyslog
image:
Prerequisites
-
The
container-tools
module is installed.
Procedure
Pull the
rsyslog
image:# podman pull registry.redhat.io/rhel8/rsyslog
Display the
install
runlabel forrsyslog
:# podman container runlabel install --display rhel8/rsyslog command: podman run --rm --privileged -v /:/host -e HOST=/host -e IMAGE=registry.redhat.io/rhel8/rsyslog:latest -e NAME=rsyslog registry.redhat.io/rhel8/rsyslog:latest /bin/install.sh
This shows that the command will open privileges to the host, mount the host root filesystem on
/host
in the container, and run aninstall.sh
script.Run the
install
runlabel forrsyslog
:# podman container runlabel install rhel8/rsyslog command: podman run --rm --privileged -v /:/host -e HOST=/host -e IMAGE=registry.redhat.io/rhel8/rsyslog:latest -e NAME=rsyslog registry.redhat.io/rhel8/rsyslog:latest /bin/install.sh Creating directory at /host//etc/pki/rsyslog Creating directory at /host//etc/rsyslog.d Installing file at /host//etc/rsyslog.conf Installing file at /host//etc/sysconfig/rsyslog Installing file at /host//etc/logrotate.d/syslog
This creates files on the host system that the
rsyslog
image will use later.Display the
run
runlabel forrsyslog
:# podman container runlabel run --display rhel8/rsyslog command: podman run -d --privileged --name rsyslog --net=host --pid=host -v /etc/pki/rsyslog:/etc/pki/rsyslog -v /etc/rsyslog.conf:/etc/rsyslog.conf -v /etc/sysconfig/rsyslog:/etc/sysconfig/rsyslog -v /etc/rsyslog.d:/etc/rsyslog.d -v /var/log:/var/log -v /var/lib/rsyslog:/var/lib/rsyslog -v /run:/run -v /etc/machine-id:/etc/machine-id -v /etc/localtime:/etc/localtime -e IMAGE=registry.redhat.io/rhel8/rsyslog:latest -e NAME=rsyslog --restart=always registry.redhat.io/rhel8/rsyslog:latest /bin/rsyslog.sh
This shows that the command opens privileges to the host and mount specific files and directories from the host inside the container, when it launches the
rsyslog
container to run thersyslogd
daemon.Execute the
run
runlabel forrsyslog
:# podman container runlabel run rhel8/rsyslog command: podman run -d --privileged --name rsyslog --net=host --pid=host -v /etc/pki/rsyslog:/etc/pki/rsyslog -v /etc/rsyslog.conf:/etc/rsyslog.conf -v /etc/sysconfig/rsyslog:/etc/sysconfig/rsyslog -v /etc/rsyslog.d:/etc/rsyslog.d -v /var/log:/var/log -v /var/lib/rsyslog:/var/lib/rsyslog -v /run:/run -v /etc/machine-id:/etc/machine-id -v /etc/localtime:/etc/localtime -e IMAGE=registry.redhat.io/rhel8/rsyslog:latest -e NAME=rsyslog --restart=always registry.redhat.io/rhel8/rsyslog:latest /bin/rsyslog.sh 28a0d719ff179adcea81eb63cc90fcd09f1755d5edb121399068a4ea59bd0f53
The
rsyslog
container opens privileges, mounts what it needs from the host, and runs thersyslogd
daemon in the background (-d
). Thersyslogd
daemon begins gathering log messages and directing messages to files in the/var/log
directory.Display the
uninstall
runlabel forrsyslog
:# podman container runlabel uninstall --display rhel8/rsyslog command: podman run --rm --privileged -v /:/host -e HOST=/host -e IMAGE=registry.redhat.io/rhel8/rsyslog:latest -e NAME=rsyslog registry.redhat.io/rhel8/rsyslog:latest /bin/uninstall.sh
Run the
uninstall
runlabel forrsyslog
:# podman container runlabel uninstall rhel8/rsyslog command: podman run --rm --privileged -v /:/host -e HOST=/host -e IMAGE=registry.redhat.io/rhel8/rsyslog:latest -e NAME=rsyslog registry.redhat.io/rhel8/rsyslog:latest /bin/uninstall.sh
In this case, the uninstall.sh
script just removes the /etc/logrotate.d/syslog
file. It does not clean up the configuration files.