Chapter 1. Introduction to containers
Linux containers have emerged as a key open source application packaging and delivery technology, combining lightweight application isolation with the flexibility of image-based deployment methods. {ProductName} implements Linux containers using core technologies such as:
- Control groups (cgroups) for resource management
- Namespaces for process isolation
- SELinux for security
- Secure multi-tenancy
These technologies reduce the potential for security exploits and provide you with an environment for producing and running enterprise-quality containers.
Red Hat OpenShift provides powerful command-line and Web UI tools for building, managing, and running containers in units referred to as pods. Red Hat allows you to build and manage individual containers and container images outside of OpenShift. This guide describes the tools provided to perform those tasks that run directly on {ProductShortName} systems.
Unlike other container tools implementations, the tools described here do not center around the monolithic Docker container engine and docker command. Instead, Red Hat provides a set of command-line tools that can operate without a container engine. These include:
-
podman - for directly managing pods and container images (
run,stop,start,ps,attach,exec, and so on) - buildah - for building, pushing, and signing container images
- skopeo - for copying, inspecting, deleting, and signing images
- runc - for providing container run and build features to podman and buildah
- crun - an optional runtime that can be configured and gives greater flexibility, control, and security for rootless containers
Because these tools are compatible with the Open Container Initiative (OCI), they can be used to manage the same Linux containers that are produced and managed by Docker and other OCI-compatible container engines. However, they are especially suited to run directly on Red Hat Enterprise Linux, in single-node use cases.
For a multi-node container platform, see OpenShift and Using the CRI-O Container Engine for details.
1.1. Characteristics of Podman, Buildah, and Skopeo
The Podman, Skopeo, and Buildah tools were developed to replace Docker command features. Each tool in this scenario is more lightweight and focused on a subset of features.
The main advantages of Podman, Skopeo and Buildah tools include:
- Running in rootless mode - rootless containers are much more secure, as they run without any added privileges
- No daemon required - these tools have much lower resource requirements at idle, because if you are not running containers, Podman is not running. Docker, conversely, have a daemon always running
-
Native
systemdintegration - Podman allows you to createsystemdunit files and run containers as system services
The characteristics of Podman, Skopeo, and Buildah include:
-
Podman, Buildah, and the CRI-O container engine all use the same back-end store directory,
/var/lib/containers, instead of using the Docker storage location/var/lib/docker, by default. - Although Podman, Buildah, and CRI-O share the same storage directory, they cannot interact with each other’s containers. Those tools can share images.
- To interact programmatically with Podman, you can use the Podman v2.0 RESTful API, it works in both a rootful and a rootless environment. For more information, see Using the container-tools API chapter.
1.2. Running containers without Docker
Red Hat removed the Docker container engine and the docker command from RHEL 10.
If you still want to use Docker in RHEL, you can get Docker from different upstream projects, but it is unsupported in RHEL 10.
-
You can install the
podman-dockerpackage, every time you run adockercommand, it actually runs apodmancommand. -
Podman also supports the Docker Socket API, so the
podman-dockerpackage also sets up a link between/var/run/docker.sockand/var/run/podman/podman.sock. As a result, you can continue to run your Docker API commands withdocker-pyanddocker-composetools without requiring the Docker daemon. Podman will service the requests. -
The
podmancommand, like thedockercommand, can build container images from aContainerfileorDockerfile. The available commands that are usable inside aContainerfileand aDockerfileare equivalent. -
Options to the
dockercommand that are not supported bypodmaninclude network, node, plugin (podmandoes not support plugins), rename (use rm and create to rename containers withpodman), secret, service, stack, and swarm (podmandoes not support Docker Swarm). The container and image options are used to run subcommands that are used directly inpodman.
1.3. Supported architectures for container deployment in RHEL
Red Hat provides container images and container-related software for the following computer architectures:
- AMD64 and Intel 64 (base and layered images; no support for 32-bit architectures)
- PowerPC 8 and 9 64-bit (base image and most layered images)
- 64-bit IBM Z (base image and most layered images)
- ARM 64-bit (base image only)
Although not all Red Hat images were supported across all architectures at first, nearly all are now available on all listed architectures.
Additional resources
1.4. Installing container tools
This procedure shows how you can install the container-tools meta-package which contains the Podman, Buildah, Skopeo, CRIU, Udica, and all required libraries.
The stable streams are not available on RHEL 9. To receive stable access to Podman, Buildah, Skopeo, and others, use the RHEL EUS subscription.
Procedure
- Install RHEL.
Register RHEL: Enter your user name and password. The user name and password are the same as your login credentials for Red Hat Customer Portal:
# subscription-manager register Registering to: subscription.rhsm.redhat.com:443/subscription Username: <username> Password: <password>Subscribe to RHEL.
To auto-subscribe to RHEL:
# subscription-manager attach --autoTo subscribe to RHEL by Pool ID:
# subscription-manager attach --pool <PoolID>
Install the
container-toolsmeta-package:# dnf install container-toolsYou can also install
podman,buildah, andskopeoindividually if you prefer.Optional: Install the
podman-dockerpackage:# dnf install podman-dockerThe
podman-dockerpackage replaces the Docker command-line interface anddocker-apiwith the matching Podman commands instead.
1.5. Special considerations for rootless containers
There are several considerations when running containers as a non-root user:
-
The path to the host container storage is different for root users (
/var/lib/containers/storage) and non-root users ($HOME/.local/share/containers/storage). - Users running rootless containers are given special permission to run as a range of user and group IDs on the host system. However, they have no root privileges to the operating system on the host.
-
If you change the
/etc/subuidor/etc/subgidmanually, you have to run thepodman system migratecommand to allow the new changes to be applied. -
If you need to configure your rootless container environment, create configuration files in your home directory (
$HOME/.config/containers). Configuration files includestorage.conf(for configuring storage) andcontainers.conf(for a variety of container settings). You could also create aregistries.conffile to identify container registries that are available when you use Podman to pull, search, or run images. There are some system features you cannot change without root privileges. For example, you cannot change the system clock by setting a
SYS_TIMEcapability inside a container and running the network time service (ntpd). You have to run that container as root, bypassing your rootless container environment and using the root user’s environment. For example:# podman run -d --cap-add SYS_TIME ntpdNote that this example allows
ntpdto adjust time for the entire system, and not just within the container.A rootless container cannot access a port numbered less than 1024. Inside the rootless container namespace it can, for example, start a service that exposes port 80 from an httpd service from the container, but it is not accessible outside of the namespace:
$ podman run -d httpdHowever, a container would need root privileges, using the root user’s container environment, to expose that port to the host system:
# podman run -d -p 80:80 httpdThe administrator of a workstation can allow users to expose services on ports numbered lower than 1024, but they should understand the security implications. A regular user could, for example, run a web server on the official port 80 and make external users believe that it was configured by the administrator. This is acceptable on a workstation for testing, but might not be a good idea on a network-accessible development server, and definitely should not be done on production servers. To allow users to bind to ports down to port 80 run the following command:
# echo 80 > /proc/sys/net/ipv4/ip_unprivileged_port_start
1.6. Using modules for advanced Podman configuration
You can use Podman modules to load a predetermined set of configurations. Podman modules are containers.conf files in the Tom’s Obvious Minimal Language (TOML) format.
These modules are located in the following directories, or their subdirectories:
-
For rootless users:
$HOME/.config/containers/containers.conf.modules -
For root users:
/etc/containers/containers.conf.modules, or/usr/share/containers/containers.conf.modules
You can load the modules on-demand with the podman --module <your_module_name> command to override the system and user configuration files. Working with modules involve the following facts:
-
You can specify modules multiple times by using the
--moduleoption. -
If
<your_module_name>is the absolute path, the configuration file will be loaded directly. - The relative paths are resolved relative to the three module directories mentioned previously.
-
Modules in
$HOMEoverride those in the/etc/and/usr/share/directories.
Additional resources
-
containers.conf(5)man page on your system
