Podman

• Podman tutorial
• Gitlab CI with podman

Installation

Install:

apt install podman

Before using buildah, please mind the note in debian/README.debian:

Buildah requires a Linux Kernel with userspaces enabled. Debian Kernels have that functionaly, but the local system administrator needs to enable it manually, with a command like this:

sudo sysctl -w kernel.unprivileged_userns_clone=1

Arch

• Arch wiki: Podman
• podman-compose package
  • run docker-compose.yml using podman
• podman-docker package Emulate Docker CLI using podman

Install:

pacman -S podman buildah podman-docker

Disable docker emulation warning:

sudo mkdir -p /usr/etc/containers
sudo chgrp varac /usr/etc /usr/etc/containers
sudo touch /usr/etc/containers/nodocker

Configuration

• man containers.conf
• Container engines read the
  • /usr/share/containers/containers.conf
  • /etc/containers/containers.conf
  • /etc/containers/containers.conf.d/*.conf
• When running in rootless mode:
  • $HOME/.config/containers/containers.conf $HOME/.config/containers/containers.conf.d/.conf

By default, podman logs to the journal.

Usage

Start a container:

podman run --rm -ti docker://alpine sh

Import existing, self-built, non-published container images

podman pull docker-daemon:varac/test:5

Inspect:

podman inspect samba-server

Expose/publish ports:

podman run --rm --publish 9469:9469 billimek/prometheus-speedtest-exporter:sha-243c8eb

Proxy settings

• Podman as a Replacement for Docker Desktop

Mount custom CA into build container:

unset http_proxy https_proxy HTTP_PROXY HTTPS_PROXY REQUESTS_CA_BUNDLE \
  HTTP_PROXY_HOST HTTP_PROXY_PORT REQUESTS_CA_BUNDLE
podman build \
  -v /etc/ca-certificates/extracted/tls-ca-bundle.pem:/etc/ssl/certs/ca-certificates.crt \
  --env NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt .

Networking

For inter-container communication all containers must be in a common Pod.

DNS

For internal DNS to work:

• Install these these packages: apt install netavark aardvark-dns
• Podman needs to be configured with networkBackend: netavark in /etc/containers/containers.conf (reboot afterwards)
  • podman info -f json | jq '.host.networkBackend'
• Container must be in a dedicated network with dns_enabled (see podman network inspect NETWORK | jq '.[].dns_enabled')
  • The default podman network has "dns_enabled": false !!

host.containers.internal

The host can be reached by using the host.containers.internal mapping in /etc/hosts, which should automatically get added:

$ podman run --rm -it alpine grep host.containers.internal /etc/hosts
10.27.13.162 host.containers.internal host.docker.internal

In case it's not automatically added for any reason, manually add the entry to /etc/hosts:

podman run --add-host=host.containers.internal:host-gateway --rm -it alpine cat /etc/hosts

or, if host-gateway cannot get determined on the host, pass the host IP:

podman run --add-host=host.containers.internal:10.10.10.1 --rm -it alpine cat /etc/hosts

Iptables

The podman debian package installs ìptables as a dependency of containernetworking-plugins which somehow get installed by installing podman. There are multiple issues/PRs for containernetworking-plugins to not depend on iptables:

Closed:

• add an option to disable iptables
• WIP: firewall: add nftables backend
  • which got closed and is now implemented in greenpau/cni-plugins

Authentication

• podman login man page
• Auth config at ${XDG_RUNTIME_DIR}/containers/auth.json, i.e. /run/user/1000/containers/auth.json

Ansible

• containers.podman.podman_container module – Manage podman containers
• Ansible and Podman containers
• podman-container-systemd creates systemd files and creates containers using podman

Compose

• podman-compose
  • Only implements a subset of the Compose spec
• docker-compose can also be used together with podman, see i.e. Using Compose Files with Podman
• Podman Compose or Docker Compose: Which should you use in Podman ?