Container podman (1)

TOC

Here is a series of memos of me trying to use podman on Debian 12 (bookworm).

LXD (Incus) is a good platform for the system container as I tried in:

• Container with LXC/LXD (1)
• Container with LXC/LXD (2)
• Container with LXC/LXD (3)
• Container with LXC/LXD (4)
• Container with LXC/LXD (5)

The docker command still is the de facto standard for the application container.

As I checked recent Google trend: podman, kvm, docker, lxc, lxd

• docker: 100
• kvm: 7
• podman: 3
• lxc: 1
• lxd: 1

Despite this, I decided to try daemon-less podman as the next tool to play with.

Podman and Buildah for Docker users (2019-02-21) gives good technical landscape background overview around podman version 1.0. Now Debian 12 bookworm ships podman version 4.3.1.

podman and docker CLI

Basically podman CLI syntax and its functionalities are exactly the same as the docker ones except for the command name itself from user’s perspective. By installing podman-docker package, you can even use the docker as the command to start podman command.

Here, you need to make 2 subtle adjustments:

• Install docker-compose to manage docker containers using the YAML file.
• Execute sudo touch /etc/containers/nodocker.

The second requirement is because /usr/bin/docker is simple wrapper of podman.

#!/bin/sh
[ -e /etc/containers/nodocker ] || \
echo "Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg." >&2
exec /usr/bin/podman "$@"

All manpages provided by the podman-docker package simply redirect requests to corresponding podman-* manpages. For example, you can see this background situation as:

$ zcat /usr/share/man/man1/docker.1.gz
.so man1/podman.1

So many tutorial resources for docker can be used for podman.

podman CLI basics

Run command in container and exit

A docker image with its alias debian is used.

Many aliases are defined in /etc/containers/registries.conf.d/shortnames.conf

 $ podman run debian cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
 $ podman ps -a
CONTAINER ID  IMAGE                            COMMAND               CREATED        STATUS                    PORTS       NAMES
7db8501a5c00  docker.io/library/debian:latest  cat /etc/os-relea...  4 seconds ago  Exited (0) 4 seconds ago              inspiring_dhawan

Run command in container with redirect and exit

An explicit name bar is set to the generated container.

 $ echo "Foo" | podman run -i --name=bar debian sed -e 's/o/e/g' > ~/foo
 $ cat ~/foo
Fee
$ podman ps -a
CONTAINER ID  IMAGE                            COMMAND               CREATED         STATUS                     PORTS       NAMES
5d8751ada416  docker.io/library/debian:latest  cat /etc/os-relea...  54 seconds ago  Exited (0) 54 seconds ago              inspiring_dhawan
f760a3bbe471  docker.io/library/debian:latest  sed -e s/o/e/g        5 seconds ago   Exited (0) 5 seconds ago               bar

Remove all container images (1)

Let’s remove all containers.

 $ podman rm -a
...

Run daemon in container and access from host

An explicit name nginx is set to the generated container.

A docker image with its image reference specified as docker.io/nginx is used.

The host port 8080 is connected to container port 80.

The -d option to run the container in the background.

 $ podman run -dit --name nginx -p 8080:80 docker.io/nginx
6d39687d03a39fac31ccfd1b9d0e0860145a3d22115918ca318544705726adb2
 $ podman ps -a
CONTAINER ID  IMAGE                           COMMAND               CREATED        STATUS            PORTS                 NAMES
6d39687d03a3  docker.io/library/nginx:latest  nginx -g daemon o...  4 minutes ago  Up 4 minutes ago  0.0.0.0:8080->80/tcp  nginx

Now, pointing a browser on the host to http://127.0.0.1:8080/ displays “Welcome to nginx!”.

Remove exited container images

 $ docker ps -a
CONTAINER ID  IMAGE                            COMMAND               CREATED         STATUS                     PORTS                 NAMES
6d39687d03a3  docker.io/library/nginx:latest   nginx -g daemon o...  43 minutes ago  Up 43 minutes ago          0.0.0.0:8080->80/tcp  nginx
419631630b1c  docker.io/library/debian:latest  cat /etc/hostname     7 seconds ago   Exited (0) 6 seconds ago                         zen_jepsen
 $ docker rm $(docker ps -a -q -f status=exited)
419631630b1c

Remove all container images (2)

 $ docker rm -a
Error: cannot remove container 6d39687d03a39fac31ccfd1b9d0e0860145a3d22115918ca318544705726adb2 as it is running - running or paused containers cannot be removed without force: container state improper
osamu@goofy:/etc/containers/registries.conf.d 23:44:40
 $ docker rm -a -f
6d39687d03a39fac31ccfd1b9d0e0860145a3d22115918ca318544705726adb2

Use case (1)

Let’s see the docker use case in issue #209.

 $ docker run --rm -it python:3.12-bookworm /bin/bash
 ...

Here:

• --rm: Automatically remove the container when it exits.
• -t, --tty: Allocate a pseudo-TTY
  • The --tty flag prevents redirection of standard output.
• 3.12-bookworm: docker-reference 3.12-bookworm for Python 3.12 on Debian bookworm. (Ordinary Debian bookworm is Python 3.11)

This is interesting way to have exact same working environment among different people.

Use case (2)

Let’s share data on disk between inside and outside of the container.

 $ touch file1
 $ date -u >date-file
 $ ls -l
total 4
-rw-rw-r-- 1 osamu osamu 32 Feb 16 16:52 date-file
-rw-rw-r-- 1 osamu osamu  0 Feb 16 16:51 file1
 $ docker run -it --rm -w /root -v .:/root/cwd -e FOOBAR=foobar debian bash
root@9304d84d2e7a:~# pwd
/root
root@9304d84d2e7a:~# echo $FOOBAR
foobar
root@9304d84d2e7a:~# ls -la
total 8
drwx------ 1 root root  36 Feb 16 08:23 .
dr-xr-xr-x 1 root root 132 Feb 15 07:50 ..
-rw-r--r-- 1 root root 571 Apr 10  2021 .bashrc
-rw-r--r-- 1 root root 161 Jul  9  2019 .profile
drwxrwxr-x 1 root root  50 Feb 16 08:03 cwd
root@9304d84d2e7a:~# cd cwd
root@9304d84d2e7a:~/cwd# ls -l
total 4
-rw-rw-r-- 1 root root 32 Feb 16 07:52 date-file
-rw-rw-r-- 1 root root  0 Feb 16 07:51 file1
root@9304d84d2e7a:~/cwd# date -u >>date-file
root@9304d84d2e7a:~/cwd# touch file2
root@9304d84d2e7a:~/cwd# (Control-D pressed)
exit
 $ ls -l
total 4
-rw-rw-r-- 1 osamu osamu 61 Feb 16 16:55 date-file
-rw-rw-r-- 1 osamu osamu  0 Feb 16 16:51 file1
-rw-r--r-- 1 osamu osamu  0 Feb 16 16:55 file2
 $ cat date-file
Fri Feb 16 07:52:16 AM UTC 2024
Fri Feb 16 07:55:11 UTC 2024

Here:

• -w=/root: set working directory inside the container to /root (without this, working directory is /.).
• -v /HOST-DIR:/CONTAINER-DIR: bind-mount /HOST-DIR from the host into /CONTAINER-DIR in the container.
• -e var=value: set environment variable var to value.

Dockerfile

Somehow, man Dockerfile doesn’t provide anything in my setup. podman-build(1), Containerfile(5) and Dockerfile reference need to be consulted.

References

Blogs and articles:

• A Practical Introduction to Container Terminology (2018-02-22)
• Buildah and Podman Relationship (2018-10-31)
• How to run systemd in a container – (2019-04-24)
• Rootless Systemd in Rootless Podman – (2023-02-14)
• Docker for beginners – Build and deploy example of a simple Webapps
• Awesome-docker – A curated list of Docker resources and projects

Upstream references:

• Getting Started with Podman
• What is Podman
  • Introduction
  • Tutorials
• Docker: Getting started guide
  • Use Docker Compose
• Build with Docker
  • Layers
• Docker: Reference documentation
  • Dockerfile reference

Note on directory usage of podman

Directory name under ~/.local/share/containers/storage/ directory:

• vfs-images/: directory listed by podman image list -a
• vfs-containers/: directory listed by podman container list -a
• volumes/: directory listed by podman volume list
• vfs/: ? (FS for overlay)
• vfs-layers/: ? (tar-split.gz containing data such as {"type":1,"name":"var/log/apt/","payload":null,"position":7007})

Typical cliché for docker/podman

I often see the following cliché:

 $ docker run -it --rm -w /root alpine:edge sh -uelic "
   apk add $list_of_packages --update
   $command_string
"

Here:

• docker: This can be podman.
• -it: Keep stdin open and allocate a pseudo-TTY.
• --rm: Automatically remove the container when it exits.
• -w /root: Working directory inside the container to be /root.
• alpine:edge: Docker official image based on Alpine Linux with tag=edge
• sh -uelic: Busybox sh:
  • -u: Exit immediately if an undefined variable is attempted to be expanded
  • -e: Exit immediately if any untested command fails.
  • -l: Login shell
  • -i: Interactive shell
  • -c: Read commands from the command_string operands

Here, Alpine Linux is is a lightweight Linux distribution suitable for docker. Its Docker official image tag can be:

• edge for the current development tree
• latest for the latest stable release (default w/o tag)

As for $list_of_packages, search them in Alpine linux packages page.

If I want to use Debian based system instead of Alpine, I can use debian:unstable instead for the Docker official image and use apt instead of apk.

If I want to make the current working directory available and to use debian:unstable, it should be:

 $ docker run -it --rm -w /root -v .:/root/cwd debian:unstable sh -uelic "
apt update ; apt upgrade; apt install add $list_of_packages
cd cwd
$command_string
"