dracula/knowledge
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
knowledge/sysadmin/podman.md
Lukas Vacula a08a4ff2b6 ssss
2024-01-31 07:30:44 -05:00

231 lines
9.3 KiB
Markdown
Raw Permalink Blame History

# Using Podman with SELinux
- SEL confines container processes to system_u:system_r:container_t:s0 domain
- File perms for volumes must be system_u:object_r:container_file_t:s0
- This can be done easily by appending `:z` to volume mappings during container creation
- Example: `-v /opt/docker/vw-data:/vw-data/:z`
# Sources
https://blog.christophersmart.com/2021/01/31/podman-volumes-and-selinux/
---
# Book Notes: Podman In Action
## Definitions
- container orchestrator - orchestrate conatiners onto multiple machines or nodes; primary CO is Kubernetes; often interacts with a separate container engine
- examples: Kubernetes, Docker Swarm, Apache Mesos
- container engine - contfigures containerized apps to run on a single node
- examples: Podman, Docker, containerd, CRI-O, buildah
- Open Container Initiative container runtimes - configure parts of the linux kernel and launch the containerized app
- examples: runc, crun, Kata, gVisor
- pod - multiple containers sharing the same namespaces and cgroups
- cgroups - control groups; linux kernel feature; allows processes to be put in hierarchical groups to limit and monitor resource usage
- namespaces - virtualized environments where different processes see different sets of resources
- examples: network namespace, mount namespace, PID namespace
- skopeo - tool to inspect containers?
- container image - a committed container
## Podman
- supports images in OCI, docker v2, and docker v1 formats
- supports all OCI runtimes
- supports rootless containers
## Containers
- groups of processes running on a linux system; isolated from one another
- prevents processes from interfering with other processes
- prevents processes from dominating system resources
- allows installations to use specific shared libraries
- isolated using resource constraints, security constraints, namespaces
- security constraints include SELinux, RO-access to filesystems, user namespaces, seccomp
- simplifies software distribution; correct dependencies are already there
## Container Image Format
1. Directory tree containing all software required to run the application
2. JSON file to describe the rootfs
- laid out like it was the root of a linux filesystem
3. JSON file to link multiple images together to support different architectures
## Rootless Containers
- docker requires root; podman does not
- command to gain root privileges if the user is in the docker group: `docker run -ti --name hacker --privileged -v /:/host ubi8 chroot /host`
- command to erase evidence of activities: `docker rm hacker`
- this includes logging if docker's default logging config is used
- docker *can* be run rootless, but it's rare to do so due to the additional configuration required
- podman containers are owned by the user and have no addition privileges compared to that user
- even on container escape, there are no additional privileges
## Fork/Exec Model
- docker is client/server model with multiple daemons
- server runs setup steps, then acts as a communication layer back to client
- docker daemon, containerd daemon, etc; if any fail, all containers stop
## Systemd Integration
- podman aims for integration with systemd
- support systemd within containers
- socket activation
- systemd notifications
- systemd management of cgroups
## Pods
- shared storage/network resources
- supports kubernetes YAML via `podman generate kube` and `podman play kube`
- allows multiple microservice containers to be combined into a larger service pod
## Podman Container Customizability
- allows container defaults to be overridden
- multiple configuration files (distibution-level, system-level, user-level)
- allows more or less security depending on need
## User-namespace Support
- allows multiple UIDs to be assigned to a user
- allows isolation between processes from the same user
# Podman Commands
(all commands should be prefixed with `podman`)
- `run <image>` - pull image and execute in the foreground until exit
- `run -ti <image> <command>` - run the command in the specified image in interactive mode
- `run --rm` - delete container upon exit
- `run -d` - detach from the container and run it in the background
- `run -p <host_port>:<container_port>` - publish the container's internal port to the external host
- in rootless mode, only host ports below 1024 are usable
- `run --name <name>` provides a name for the container
- if a name is not specified, a unique name is generated
- `run --user <username>` - run as a specific user in the image
- `create <image>` - pull the image and build it, but don't execute
- has near-identical flags to `run`
- `start` - start a built image
- `inspect` - get information about a container/image/network/etc
- most items have a specific `inspect` command for their type
- `podman image inspect`
- `podman container inspect`
- etc
- `commit` - create new image from current container state
- **should only be run while a container is stopped**
- not the most common method compared to podman build
- `push` - push image to registry
- `login <registry>` - log in to a registry to do push/pull actions
- by default, credentials are stored in /run/user/\<uid\>/containers/auth.json as a base64-encoded string
- credentials are cleared on reboot
- other options for storing passwords are available
- `image prune` - remove images without a tag
- `image prune -a` - remove all images not in use by a container
- `image mount` - mount an images root filesystem as read-only
- cannot be done in rootless mode
- `unshare` - enter user amd mount namespaces
- `build` - build a container using Dockerfile or Containerfile
## Container Images
- containers are not the same as images
- images are committed containers
- "images" usually refers to content stored in container storage or in a container registry
- stored as a series of layers
### Image Tagging
- allows adding additional names ot images
### Image Mounting
```
podman unshare
mnt=$(podman image mount <imagename>)
ls $mnt
podman image unmount <imagename>
exit
```
## Image Building; Containerfiles
- docker has Dockerfile; podman has Containerfile (and Dockerfile)
- Containerfiles contain two types of directives
- adding content to the container image
- describing and documenting image use
### Containerfile directives
```
# FROM specifies the container to base the image off of
# FROM scratch # start with no content at all
FROM registry.access.redhat.com/ubi8 # start from the ubi8 image
# COPY copies files, directories, or tarballs into the new rootfs
# ADD provides the same function, but supports remote URLs as well
# VOLUME will create a folder that is marked as holding externally-mounted volumes
# RUN runs a command on the image during building
# commonly used for package management tools
RUN yum -y update
RUN yum -y install procps-ng
RUN yum -y clean all
# install "ps" command and clean up cruft from yum
# CMD runs a command if a different command is not specified
# ENTRYPOINT allows container to run as an executable
# ENV defines environment variables
# EXPOSE announces ports that will be opened
# **but** it does not actually map or open any ports
# LABEL adds metadata
# MAINTAINER sets author of image
# STOPSIGNAL defines the signal to send to the container for exit
# USER defined the user name (and group name) for subsequent RUN/CMD/ENTRYPOINT directives
# WORKDIR sets the working directory for subsequent RUN/CMD/ENTRYPOINT/COPY directives
# ONBUILD adds a trigger to use if the image is being used as a base for another build
```
## Volumes
- `volume rm <name>` - remove volume
- `volume list` - list all volumes
- `volume export` - export contents of volume to TAR archive
- `volume import` - import TAR as volume
### Why volumes?
- separate applications from data
- have the same image in multiple environments
- reduce overhead of read/write performance
- share content via network storage
### Flags
- flags are placed after the volume mapping
- `-v ./html:/var/www/html:ro`
- flags can be combined with commas
- `-v ./html:/var/www/html:ro,z`
- `:ro` - mount as read-only
- `:z` - recursively relabel content for use by SELinux, allows multi-container access
- `:Z` - recursively relabel content for use by SELinux, disallows multi-container access
- `--security-opt label=disable` can be used to run containers with an "unconfined" label, if needed (but not recommended)
- `:U` - change ownership of volume to match UID in container
- `:O` - mount as temporary storage, destroyed when finished executing
### Named Volumes
- `podman volume crate <name>`
- defaults to locally named volumes
- creates a directory for named volumes
- can be used by multiple containers at once
## Pods
- comes from the Kubernetes project
- allows one or more containers to share namespaces and cgroups
- ensured shared SELinux labels
- all pods ahve a container called the *infra* or *pause* container to hold open namespaces/cgroups
- pods can optionally have *init* containers that run before the primary containers are executed
- can run either once on pod creation, or every time the pod is started
- "sidecar containers" are just other containers in the pod
### conmon
- container monitoring process
- added to every container that is in a pod
- lightweight C executable that monitors pod until exit
- executes OCI runtime
- responsible for reporting error code back to Podman
- provides socket for STDOUT and STDERR
fdsafdsa
Reference in New Issue View Git Blame Copy Permalink