Red Hat SummitChapter 4. Working with container images
Manage container images by using the Podman tool. You can use this tool to pull the image, inspect, tag, save, load, redistribute, and define the image signature.
4.1. Pulling images from registries
Download container images from remote registries to your local system by using the podman pull command. This makes the image available for creating and running containers.
Prerequisites
-
The
container-toolsmeta-package is installed.
Procedure
Log in to the
registry.redhat.ioregistry:$ podman login registry.redhat.io Username: <username> Password: <password> Login Succeeded!Pull the
registry.redhat.io/ubi10/ubicontainer image:$ podman pull registry.redhat.io/ubi10/ubi
Verification
List all images pulled to your local system:
$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE registry.redhat.io/ubi10/ubi latest 3269c37eae33 7 weeks ago 208 MBFor more information, see the
podman-pull(1)man page on your system.
4.2. Pulling container images using short-name aliases
You can use secure short names to get the image to your local system. The following procedure describes how to pull a fedora or nginx container image.
Prerequisites
-
The
container-toolsmeta-package is installed.
Procedure
Pull the container image:
Pull the
fedoraimage:$ podman pull fedora Resolved "fedora" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf) Trying to pull registry.fedoraproject.org/fedora:latest… ... Storing signatures ...Alias is found and the
registry.fedoraproject.org/fedoraimage is securely pulled. Theunqualified-search-registrieslist is not used to resolvefedoraimage name.Pull the
nginximage:$ podman pull nginx ? Please select an image: registry.access.redhat.com/nginx:latest registry.redhat.io/nginx:latest ▸ docker.io/library/nginx:latest ✔ docker.io/library/nginx:latest Trying to pull docker.io/library/nginx:latest… ... Storing signatures ...If no matching alias is found, you are prompted to choose one of the
unqualified-search-registrieslist. If the selected image is pulled successfully, a new short-name alias is recorded locally, otherwise an error occurs.
Verification
List all images pulled to your local system:
$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE registry.fedoraproject.org/fedora latest 28317703decd 12 days ago 184 MB docker.io/library/nginx latest 08b152afcfae 13 days ago 137 MB
4.3. Listing images
You can list locally stored container images on by using Podman to verify version availability and manage system storage. Viewing the image list ensures you select the appropriate foundation for your workloads while maintaining visibility into your local environment.
Prerequisites
-
The
container-toolsmeta-package is installed. - A pulled image is available on the local system.
Procedure
List all images in the local storage:
$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE registry.access.redhat.com/ubi10/ubi latest 3269c37eae33 6 weeks ago 208 MBFor more information, see the
podman-images(1)man page on your system.
4.4. Inspecting local images
After you pull an image to your local system and run it, you can use the podman inspect command to investigate the image. For example, use it to understand what the image does and check what software is inside the image.
The podman inspect command displays information about containers and images identified by name or ID.
Prerequisites
-
The
container-toolsmeta-package is installed. - A pulled image is available on the local system.
Procedure
Inspect the
registry.redhat.io/ubi10/ubiimage:$ podman inspect registry.redhat.io/ubi10/ubi … "Cmd": [ "/bin/bash" ], "Labels": { "architecture": "x86_64", "build-date": "2020-12-10T01:59:40.343735", "com.redhat.build-host": "cpt-1002.osbs.prod.upshift.rdu2.redhat.com", "com.redhat.component": "ubi10-container", "com.redhat.license_terms": "https://www.redhat.com/..., "description": "The Universal Base Image is ... } ...The
"Cmd"key specifies a default command to run within a container. You can override this command by specifying a command as an argument to thepodman runcommand. This ubi10/ubi container will execute the bash shell if no other argument is given when you start it withpodman run. If an"Entrypoint"key was set, its value would be used instead of the"Cmd"value, and the value of"Cmd"is used as an argument to the Entrypoint command.
4.5. Inspecting remote images
Use the skopeo inspect command to display information about an image from a remote container registry before you pull the image to your system. This reveals details such as the default command, environment variables, and architecture.
Prerequisites
-
The
container-toolsmeta-package is installed.
Procedure
Inspect the
registry.redhat.io/ubi10/ubi-initimage:# skopeo inspect docker://registry.redhat.io/ubi10/ubi-init { "Name": "registry.redhat.io/ubi10/ubi10-init", "Digest": "sha256:c6d1e50ab...", "RepoTags": [ ... "latest" ], "Created": "2020-12-10T07:16:37.250312Z", "DockerVersion": "1.13.1", "Labels": { "architecture": "x86_64", "build-date": "2020-12-10T07:16:11.378348", "com.redhat.build-host": "cpt-1007.osbs.prod.upshift.rdu2.redhat.com", "com.redhat.component": "ubi10-init-container", "com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI", "description": "The Universal Base Image Init is designed to run an init system as PID 1 for running multi-services inside a container ... } }For more information, see the
skopeo-inspect(1)man page on your system.
4.6. Copying container images
You can use the skopeo copy command to copy a container image from one registry to another. For example, you can populate an internal repository with images from external registries, or sync image registries in two different locations.
Prerequisites
-
The
container-toolsmeta-package is installed.
Procedure
Copy the
skopeocontainer image fromdocker://quay.iotodocker://registry.example.com:$ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latestRefer to
skopeo-copy(1)man page on your system for more information.
4.7. Copying image layers to a local directory
Copying container image layers to a local directory by using Skopeo to audit image contents or troubleshoot file system changes. Storing layers locally enables you to inspect the image structure and verify security compliance without the need to deploy the container.
Prerequisites
-
The
container-toolsmeta-package is installed.
Procedure
Create the
/var/lib/images/nginxdirectory:$ mkdir -p /var/lib/images/nginxCopy the layers of the
docker://docker.io/nginx:latest imageto the newly created directory:$ skopeo copy docker://docker.io/nginx:latest dir:/var/lib/images/nginx
Verification
Display the content of the
/var/lib/images/nginxdirectory:$ ls /var/lib/images/nginx 08b11a3d692c1a2e15ae840f2c15c18308dcb079aa5320e15d46b62015c0f6f3 ... 4fcb23e29ba19bf305d0d4b35412625fea51e82292ec7312f9be724cb6e31ffd manifest.json versionRefer to
skopeo-copy(1)man page on your system for more information.
4.8. Tagging images
Assign additional names or tags to local images by using the podman tag command. Tagging helps organize images and prepare them for pushing to specific registries.
This additional name can consist of several parts: <registryhost>/<username>/<name>:<tag>.
Prerequisites
-
The
container-toolsmeta-package is installed. - A pulled image is available on the local system.
Procedure
List all images:
$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE registry.redhat.io/ubi10/ubi latest 3269c37eae33 7 weeks ago 208 MBAssign the
myubiname to theregistry.redhat.io/ubi10/ubiimage using one of the following options:The image name:
$ podman tag registry.redhat.io/ubi10/ubi myubiThe image ID:
$ podman tag 3269c37eae33 myubiBoth commands give you the same result.
List all images:
$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE registry.redhat.io/ubi10/ubi latest 3269c37eae33 2 months ago 208 MB localhost/myubi latest 3269c37eae33 2 months ago 208 MBNotice that the default tag is
latestfor both images. You can see all the image names are assigned to the single image ID 3269c37eae33.Add the
10tag to theregistry.redhat.io/ubi10/ubiimage using either:The image name:
$ podman tag registry.redhat.io/ubi10/ubi myubi:10The image ID:
$ podman tag 3269c37eae33 myubi:10Both commands give you the same result.
Verification
List all images:
$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE registry.redhat.io/ubi10/ubi latest 3269c37eae33 2 months ago 208 MB localhost/myubi latest 3269c37eae33 2 months ago 208 MB localhost/myubi 10 3269c37eae33 2 months ago 208 MBNotice that the default tag is
latestfor both images. You can see all the image names are assigned to the single image ID 3269c37eae33.After tagging the
registry.redhat.io/ubi10/ubiimage, you have three options to run the container:-
by ID (
3269c37eae33) -
by name (
localhost/myubi:latest) by name (
localhost/myubi:10)For more information, see
podman-tag(1)man page on your system.
-
by ID (
4.9. Building multi-architecture images
Build multi-architecture container images by using Podman on RHEL to ensure your applications run consistently across diverse hardware platforms. This approach allows a single image manifest to support multiple architectures, without the requirement of unique builds for each environment.
Prerequisites
-
The
container-toolsmeta-package is installed.
Procedure
-
Create
Containerfilesfor each architecture you want to support. Build images for each architecture. For example:
$ podman build --platform linux/arm64,linux/amd64 --manifest <registry>/<image> .-
The
--platform linux/arm64,linux/amd64option specifies the target platforms for which the container image is being built. -
The
--manifest <registry>/<image>option creates a manifest list with the specified name, that is<registry>/<image>, and adds the newly-built images to them. A manifest list is a collection of image manifests, each one targeting a different architecture.
-
The
Push the manifest list to the registry:
$ podman manifest push <registry>/<image>This manifest list acts as a single entry point for pulling the multi-architecture container.
As a result, you can pull the appropriate container image for your platform, based on a single manifest list.
You can also remove items from the manifest list by using the
podman manifest remove <manifest_list> <digest_ID>command, where<digest_ID>is the SHA-256 checksum of the container image. For example:podman manifest remove <registry>/<image> sha256:cb8a924afdf….
Verification
Display the manifest list:
$ podman manifest inspect <registry>/<image>Refer to the
podman-build(1)andpodman-manifest(1)man page on your system for more information.
4.10. Saving and loading images
Use the podman save command to save an image to a container archive. You can restore it later to another container environment or send it to someone else.
You can use the --format option to specify the archive format. The supported formats are:
-
docker-archive -
oci-archive -
oci-dir(directory with oci manifest type) -
docker-archive(directory with v2s2 manifest type)
The default format is the docker-archive format.
Use the podman load command to load an image from the container image archive into the container storage.
Prerequisites
-
The
container-toolsmeta-package is installed. - A pulled image is available on the local system.
Procedure
Save the
registry.redhat.io/rhel10/support-toolsimage as a tarball:In the default
docker-archiveformat:$ podman save -o mysupport-tools.tar registry.redhat.io/rhel10/support-tools:latestIn the
oci-archiveformat, using the--formatoption:$ podman save -o mysupport-tools-oci.tar --format=oci-archive registry.redhat.io/rhel10/support-toolsThe
mysupport-tools.tarandmysupport-tools-oci.tararchives are stored in your current directory. The next steps are performed with themysupport-tools.tartarball.
Check the file type of
mysupport-tools.tar:$ file mysupport-tools.tar mysupport-tools.tar: POSIX tar archiveTo load the
registry.redhat.io/rhel10/support-tools:latestimage from themysupport-tools.tar:$ podman load -i mysupport-tools.tar ... Loaded image(s): registry.redhat.io/rhel10/support-tools:latestFor more information, see the
podman-save(1)andpodman-load(1)man pages on your system.
4.11. Redistributing UBI images
Share your custom UBI-based images by pushing them to a registry with the podman push command. This enables others to download and use your modified images.
Prerequisites
-
The
container-toolsmeta-package is installed. - A pulled image is available on the local system.
Procedure
Optional: Add an additional name to the
ubiimage:# podman tag registry.redhat.io/ubi10/ubi registry.example.com:5000/ubi10/ubiPush the
registry.example.com:5000/ubi10/ubiimage from your local storage to a registry:# podman push registry.example.com:5000/ubi10/ubiImportantWhile there are few restrictions on how you use these images, there are some restrictions about how you can refer to them. For example, you cannot call those images Red Hat certified or Red Hat supported unless you certify it through the Red Hat Partner Connect Program, either with Red Hat Container Certification or Red Hat OpenShift Operator Certification.
4.12. Removing images
Delete unused container images from local storage using the podman rmi command. Removing old images frees up disk space on your system.
Prerequisites
-
The
container-toolsmeta-package is installed.
Procedure
List all images on your local system:
$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE registry.redhat.io/rhel10/support-tools latest 4b32d14201de 7 weeks ago 228 MB registry.redhat.io/ubi10/ubi latest 3269c37eae33 7 weeks ago 208 MB localhost/myubi X.Y 3269c37eae33 7 weeks ago 208 MBList all containers:
$ podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7ccd6001166e registry.redhat.io/rhel10/support-tools:latest usr/bin/bash 6 seconds ago Up 5 seconds ago my-support-toolsTo remove the
registry.redhat.io/rhel10/support-toolsimage, you have to stop all containers running from this image by using thepodman stopcommand. You can stop a container by its ID or name.Stop the
my-support-toolscontainer:$ podman stop my-support-tools 7ccd6001166e9720c47fbeb077e0afd0bb635e74a1b0ede3fd34d09eaf5a52e9Remove the
registry.redhat.io/rhel10/support-toolsimage:$ podman rmi registry.redhat.io/rhel10/support-toolsTo remove multiple images:
$ podman rmi registry.redhat.io/rhel10/support-tools registry.redhat.io/ubi10/ubiTo remove all images from your system:
$ podman rmi -aTo remove images that have multiple names (tags) associated with them, add the
-foption to remove them:$ podman rmi -f 1de7d7b3f531 1de7d7b3f531...
Verification
-
List all images by using the
podman imagescommand to verify that container images were removed.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}