Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / The Adaptable Linux Platform Guide / Containers and Podman

4 Containers and Podman

4.1 What are containers and Podman?

Containers offer a lightweight virtualization method to run multiple virtual environments (containers) simultaneously on a single host. Unlike technologies such as Xen or KVM, where the processor simulates a complete hardware environment and a hypervisor controls virtual machines, containers provide virtualization on the operating system level, where the kernel controls the isolated containers.

Podman is a short name for Pod Manager Tool. It is a daemonless container engine that enables you to run and deploy applications using containers and container images. Podman provides a command line interface to manage containers.

4.2 How does Podman work?

Podman provides integration with systemd. This way you can control containers via systemd units. You can create these units for existing containers as well as generate units that can start containers if they do not exist in the system. Moreover, Podman can run systemd inside containers.

Podman enables you to organize your containers into pods. Pods share the same network interface and resources. A typical use case for organizing a group of containers into a pod is a container that runs a database and a container with a client that accesses the database.

4.2.1 Pods architecture

A pod is a group of containers that share the same namespace, ports and network connection. Usually, containers within one pod can communicate directly with each other. Each pod contains an infrastructure container (INFRA), whose purpose is to hold the namespace. INFRA also enables Podman to add other containers to the pod. Port bindings, cgroup-parent values, and kernel namespaces are all assigned to the infrastructure container. Therefore, later changes of these values are not possible.

Pods architecture
Figure 4.1: Pods architecture

Each container in a pod has its own instance of a monitoring program. The monitoring program watches the container's process and if the container dies, the monitoring program saves its exit code. The program also holds open the tty interface for the particular container. The monitoring program enables you to run containers in the detached mode when Podman exits, because this program continues to run and enables you to attach tty later.

4.3 Benefits of containers

  • Containers make it possible to isolate applications in self-contained units.

  • Containers provide near-native performance. Depending on the runtime, a container can use the host kernel directly, thus minimizing overhead.

  • It is possible to control network interfaces and apply resources inside containers through kernel control groups.

Enabling Podman

4.5.1 Introduction

This article helps you verify that Podman is installed on the ALP system and provides guidelines to enable its systemd service when Cockpit requires it.

4.5.2 Requirements

  • Deployed ALP base OS.

4.5.3 Installing Podman

  1. Verify that Podman is installed on your system by running the following command:

    # zypper se -i podman
  2. If Podman is not listed in the output, install it by running:

    # transactional-update pkg install podman*
  3. Reboot the ALP host for the changes to take effect.

  4. Optionally, enable and start the podman.service service for applications that require it, such as Cockpit. You can enable it either in Cockpit by clicking Podman containers › Start podman, or by running the following command:

    # systemctl enable --now podman.service

4.5.4 Enabling rootless mode

By default, Podman requires root privileges. To enable rootless mode for the current user, run the following command:

> sudo usermod --add-subuids 100000-165535 \
  --add-subgids 100000-165535 USER

Reboot the machine to enable the change. The command above defines a range of local UIDs to which the UIDs allocated to users inside the container are mapped on the host. Note that the ranges defined for different users must not overlap. It is also important that the ranges do not reuse the UID of an existing local user or group. By default, adding a user with the useradd command automatically allocates subUID and subGID ranges.

Note
Note: Limitations of rootless containers

Running a container with Podman in rootless mode on SLE Micro may fail, because the container might need access to directories or files that require root privileges.

4.5.5 Next steps

Podman usage

This article introduces basic Podman usage that you may need when running containerized workloads.

4.6.1 Getting container images

To run a container, you need an image. An image includes all dependencies needed to run an application. You can obtain images from an image registry. Available registries are defined in the /etc/containers/registries.conf configuration file. If you have a local image registry or want to use other registries, add the registries into the configuration file.

Important
Important: No tools for building images in ALP

ALP does not provide tools for building custom images. Therefore, the only way to get an image is to pull it from an image registry.

The podman pull command pulls an image from an image registry. The syntax is as follows:

# podman pull [OPTIONS] SOURCE

The source can be an image without the registry name. In that case, Podman tries to pull the image from all registries configured in the /etc/containers/registries.conf file. The default image tag is latest. The default location of pulled images is /var/lib/containers/storage/overlay-images/.

To view all possible options of the podman pull command, run:

# podman pull --help
Note
Note: Getting images using Cockpit

If you are using Cockpit, you can also pull images from an image registry in the Podman containers menu by clicking + Get new image.

Podman enables you to search for images in an image registry or a list of registries using the command:

# podman search IMAGE_NAME

4.6.2 Working with containers

The following section covers common container management tasks. This includes creating, starting, and modifying containers.

Warning
Warning

The current version of ALP does not provide tools for building custom images. Therefore, the only way to get a container image is to pull it from an image registry.

4.6.2.1 Running containers

Tip
Tip

For specific details on running ALP containers, refer to links in the Section 1.5, “Available workloads for the Adaptable Linux Platform” article.

After you have pulled your container image, you can create containers based on it. You can run an instance of the image using the podman run command. The command syntax is as follows:

# podman run [OPTIONS] IMAGE [CONTAINER_NAME]

IMAGE is specified in format transport:path. If transport is omitted, the default docker is used. The path can reference to a specific image registry. If omitted, Podman searches for the image in registries defined in the /etc/containers/registries.conf file. An example that runs a container called sles15 based on the sle15 image follows:

# podman run registry.opensuse.org/suse/templates/images/sle-15-sp3/base/images/suse/sle15 sles15

Below is a list of frequently used options. For a complete list of available options, run the command: podman run --help.

--detach, -d

The container will run in the background.

--env, -e=env

This option allows arbitrary environment variables that are available for the process to be launched inside of the container. If an environment variable is specified without a value, Podman will check the host environment for a value and set the variable only if it is set on the host.

--help

Prints help for the podman run command.

--hostname=name, -h

Sets the container host name that is available inside the container.

--pod=name

Runs the container in an existing pod. To create a pod, prefix the pod name with new:.

--read-only

Mounts the container’s root file system as read-only.

--systemd=true|false|always

Runs the container in systemd mode. The default is true.

4.6.2.2 Stopping containers

If the podman run command finished successfully, a new container has been started. You can stop the container by running:

# podman stop [OPTIONS] CONTAINER

You can specify a single container name or ID or a space-separated list of containers. The command takes the following options:

--all, -a

Stops all running containers.

--latest, -l

Instead of providing a container name, the last created container will be stopped.

--time, -t=seconds

Seconds to wait before forcibly stopping the container.

To view all possible options of the podman stop command, run the following:

# podman stop --help

4.6.2.3 Starting containers

To start already created but stopped containers, use the podman start command. The command syntax is as follows:

# podman start [OPTIONS] CONTAINER

CONTAINER can be a container name or a container ID.

For a complete list of possible options of podman start, run the command:

# podman start --help

4.6.2.4 Updating containers

To update an existing container, follow these steps:

  1. Identify the image of the container that you want to update, for example, yast-mgmt-qt:

    > podman image ls
    REPOSITORY                                                                                                  TAG         IMAGE ID      CREATED      SIZE
    [...]
    registry.opensuse.org/suse/alp/workloads/publish/tumbleweed_containerfiles/suse/alp/workloads/yast-mgmt-qt  latest      f349194a439d  13 days ago  674 MB
  2. Pull the image from the registry to find out if there is a newer version. If you do not specify a version tag, the latest tag is used:

    # podman pull registry.opensuse.org/suse/alp/workloads/publish/tumbleweed_containerfiles/suse/alp/workloads/yast-mgmt-qt
    Trying to pull registry.opensuse.org/suse/alp/workloads/publish/tumbleweed_containerfiles/suse/alp/workloads/yast-mgmt-qt:latest...
    Getting image source signatures
    Copying blob 6bfbcdeee2ec done
    [...]
    Writing manifest to image destination
    Storing signatures
    f349194a439da249587fbd8baffc5659b390aa14c8db1d597e95be703490ffb1
  3. If the container is running, identify its ID and stop it:

    # podman ps
    CONTAINER ID  IMAGE                                                                             COMMAND     CREATED         STATUS
    [...]
    28fef404417b /workloads/tumbleweed_containerfiles/suse/alp/workloads/yast-mgmt-ncurses:latest               2 weeks ago     Up 24 seconds ago
    # podman stop 28fef404417b
  4. Run the container following specific instructions at Section 1.5, “Available workloads for the Adaptable Linux Platform”, for example:

    # podman container runlabel run \
     registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/yast-mgmt-ncurses:latest

4.6.2.5 Committing modified containers

You can run a new container with specific attributes that are not part of the original image. To save the container with these attributes as a new image, you can use the podman commit command:

# podman commit [OPTIONS] CONTAINER IMAGE

CONTAINER is a container name or a container ID. IMAGE is the new image name. If the image name does not start with a registry name, the value localhost is used.

When using Cockpit, you can perform the commit operation directly from a container's Details, by clicking Commit. A dialog box opens. Specify all required details as shown below and click Commit:

Committing a container in Cockpit
Figure 4.2: Committing a container in Cockpit

4.6.2.6 Listing containers

Podman enables you to list all running containers using the podman ps command. The generic syntax of the command is as follows:

# podman  ps [OPTIONS]

Command options can change the displayed information. For example, using the --all option will output all containers created by Podman (not only the running containers).

For a complete list of podman ps options, run:

# podman ps --help

4.6.2.7 Removing containers

To remove one or more unused containers from the host, use the podman rm command as follows:

# podman rm [OPTIONS] CONTAINER

CONTAINER can be a container name or a container ID.

The command does not remove the specified container if the container is running. To remove a running container, use the -f option.

For a complete list of podman rm options, run:

# podman rm --help
Note
Note: Deleting all stopped containers

You can delete all stopped containers from your host with a single command:

# podman container prune

Make sure that each stopped container is intended to be removed before you run the command, otherwise you might remove containers that are still in use and were stopped only temporarily.

4.6.3 Working with pods

Containers can be grouped into a pod. The containers in the pod then share network, pid, and IPC namespace. Pods can be managed by podman pod commands. This section provides an overview of the commands for managing pods.

4.6.3.1 Creating pods

The command podman pod create is used to create a pod. The syntax of the command is as follows:

# podman pod create [OPTIONS]

The command outputs the pod ID. By default, the pods are created without being started. You can start a pod by running a container in the pod, or by starting the pod as described in Section 4.6.3.3, “Starting/stopping/restarting pods”.

Note
Note: Default pod names

If you do not specify a pod name with the --name option, Podman will assign a default name for the pod.

For a complete list of possible options, run the following command:

# podman pod create --help

4.6.3.2 Listing pods

You can list all pods by running the command:

# podman pod list

The output looks as follows:

POD ID        NAME               STATUS   CREATED       # OF CONTAINERS  INFRA ID
30fba506fecb  upbeat_mcclintock  Created  19 hours ago  1                4324f40c9651
976a83b4d88b  nervous_feynman    Running  19 hours ago  2                daa5732ecd02

As each pod includes the INFRA container, the number of containers in a pod is always larger than zero.

4.6.3.3 Starting/stopping/restarting pods

After a pod is created, you must start it, as it is not in the state running by default. In the commands below, POD can be a pod name or a pod ID.

To start a pod, run the command:

# podman pod start [OPTIONS] POD

For a complete list of possible options, run:

# podman pod start --help

To stop a pod, use the podman pod stop as follows:

# podman pod stop POD

To restart a pod, use the podman pod restart command as follows:

# podman pod restart POD

4.6.3.4 Managing containers in a pod

To add a new container to a pod, use the podman run command with the option --pod. A general syntax of the command follows:

# podman run [OPTIONS] --pod POD_NAME IMAGE

For details about the podman run command, refer to Section 4.6.2.1, “Running containers”.

Note
Note: Only new containers can be added to a pod

The podman start command does not allow for starting a container in a pod if the container was not added to the pod during the container's initial running.

You cannot remove a container from a pod and keep the container running, because the container itself is removed from the host.

Other actions like start, restart and stop can be performed on specific containers without affecting the status of the pod.

4.6.3.5 Removing pods

There are two ways to remove pods. You can use the podman pod rm command to remove one or more pods. Alternatively, you can remove all stopped pods using the podman pod prune command.

To remove a pod or several pods, run the podman pod rm command as follows:

# podman pod rm POD

POD can be a pod name or a pod ID.

To remove all currently stopped pods, use the podman pod prune command. Make sure that all stopped pods are intended to be removed before you run the podman pod prune command, otherwise you might remove pods that are still in use.

4.6.3.6 Monitoring processes in pods

To view all containers in all pods, use the following command:

# podman ps -a --pod

The output of the command will be similar to the following one:

CONTAINER ID  IMAGE                       COMMAND    CREATED       STATUS                 [...]
4324f40c9651  k8s.gcr.io/pause:3.2                   21 hours ago  Created
daa5732ecd02  k8s.gcr.io/pause:3.2                   22 hours ago  Up 3 hours ago
e5c8e360c54b  localhost/test:latest       /bin/bash  3 days ago    Exited (137) 3 days ago
82dad15828f7  localhost/opensuse/toolbox  /bin/bash  3 days ago    Exited (137) 3 days ago
1a23da456b6f  docker.io/i386/ubuntu       /bin/bash  4 days ago    Exited (0) 6 hours ago
df890193f651  localhost/opensuse/toolbox  /bin/bash  4 days ago    Created

The first two records are the INFRA containers of each pod, based on the k8s.gcr.io/pause:3.2 image. Other containers in the output are stand-alone containers that do not belong to any pod.

Running the YaST workload using Podman

4.7.1 Introduction

This article describes how to start the YaST workload on the Adaptable Linux Platform (ALP).

4.7.2 Requirements

  • Deployed ALP base OS.

  • Installed and enabled Podman.

4.7.3 Starting YaST in text mode

To start the text version (ncurses) of YaST as a workload, follow these steps:

  1. Identify the full URL address in a registry of container images, for example:

    > podman search yast-mgmt-ncurses
    registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/yast-mgmt-ncurses
    [...]
  2. To start the container, run the following command:

    # podman container runlabel run \
     registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/yast-mgmt-ncurses:latest
    YaST running in text mode on ALP
    Figure 4.3: YaST running in text mode on ALP

4.7.4 Starting graphical YaST

To start the graphical Qt version of YaST as a workload, follow these steps:

  1. To view the graphical YaST on your local X server, you need to use SSH X forwarding. It requires the xauth package installed, applied by the host reboot:

    # transactional-update pkg install xauth && reboot
  2. Connect to the ALP host using ssh with the X forwarding enabled:

    > ssh -X ALP_HOST
  3. Identify the full URL address in a registry of container images, for example:

    > podman search yast-mgmt-qt
    registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/yast-mgmt-qt
    [...]
  4. To start the container, run the following command:

    # podman container runlabel run \
     registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/yast-mgmt-qt:latest
    Running graphical YaST on top of ALP
    Figure 4.4: Running graphical YaST on top of ALP

Running the KVM virtualization workload using Podman

4.8.1 Introduction

This article describes how to run KVM VM Host Server on the Adaptable Linux Platform (ALP).

4.8.2 Requirements

  • Deployed ALP base OS.

  • When running ALP in a virtualized environment, you need to enable the nested KVM virtualization on the bare-metal host operating system and use kernel-default kernel instead of the default kernel-default-base in ALP.

  • Installed and enabled Podman.

4.8.3 Starting the KVM workload

ALP can serve as a host running virtual machines. The following procedure describes steps to prepare the ALP host to run containerized KVM VM Host Server and run an example VM Guest on top of it.

  1. Identify the KVM workload image:

    # podman search kvm
    registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/kvm
  2. Pull the image from the registry and install all the wrapper scripts:

    # podman container runlabel install registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/kvm:latest
  3. Create the libvirtd container from the downloaded image:

    # kvm-container-manage.sh create
  4. Start the container:

    # kvm-container-manage.sh start
  5. Optionally, run a VM Guest on top of the started KVM VM Guest using the virt-install.sh script.

    Tip
    Tip

    virt-install.sh uses the openSUSE-Tumbleweed-JeOS.x86_64-OpenStack-Cloud.qcow2 image by default. To specify another VM image, modify the APPLIANCE_MIRROR and APPLIANCE options in the /etc/kvm-container.conf file.

    Tip
    Tip

    virsh.sh is a wrapper script to launch the virsh command inside the container (the default container name is libvirtd).

    > virt-install.sh
    [...]
    Starting install...
    Password for first root login is: OPjQok1nlfKp5DRZ
    Allocating 'Tumbleweed-JeOS_5221fd7860.qcow2'            |    0 B  00:00:00 ...
    Creating domain...                                       |    0 B  00:00:00
    Running text console command: virsh --connect qemu:///system console Tumbleweed-JeOS_5221fd7860
    Connected to domain 'Tumbleweed-JeOS_5221fd7860'
    Escape character is ^] (Ctrl + ])
    
    Welcome to openSUSE Tumbleweed 20220919 - Kernel 5.19.8-1-default (hvc0).
    
    eth0: 192.168.10.67 fe80::5054:ff:fe5a:c416
    
    localhost login:

Usage of the kvm-container-manage.sh script

The kvm-container-manage.sh script is used to manage the KVM server container on the Adaptable Linux Platform (ALP). This article lists each subcommand of the script and describes its purpose.

kvm-container-manage.sh create

Creates a KVM server container from a previously downloaded container image. To download the images, use podman, for example:

# podman container runlabel install registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/kvm:latest
kvm-container-manage.sh start

Starts the KVM server container.

kvm-container-manage.sh virsh list

Lists all running VM Guests. Append the --all option to get the list of all—running and stopped—VM Guests.

kvm-container-manage.sh stop

Stops the running KVM server container.

kvm-container-manage.sh uninstall

Cleans the host environment by uninstalling all files that were required to run the KVM server container

Running the Cockpit Web server using Podman

4.9.1 Introduction

This article describes how to run a containerized Cockpit Web server on the Adaptable Linux Platform (ALP) using Podman.

Note
Note

An alternative way of installing and enabling the Cockpit Web server is described in https://en.opensuse.org/openSUSE:ALP/Workgroups/SysMngmnt/Cockpit#Install_the_Web_Server_Via_Packages.

4.9.2 Requirements

  • Deployed ALP base OS.

  • Installed and enabled Podman.

  • Installed the alp_cockpit pattern.

4.9.3 Starting the Cockpit workload

Cockpit is a tool to administer one or more hosts from one place via a Web user interface. Its default functionality is extended by plug-ins that you can install additionally. You do not need the Cockpit Web user interface installed on every ALP host. One instance of the Web interface can connect to multiple hosts if they have the alp_cockpit pattern installed.

ALP has the base part of the Cockpit component installed by default. It is included in the alp_cockpit pattern. To install and run Cockpit's Web interface, follow these steps:

  1. Identify the Cockpit Web server workload image:

    # podman search cockpit-ws
    registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/cockpit-ws
  2. Pull the image from the registry:

    # podman container runlabel install \
     registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/cockpit-ws:latest
  3. Run the Cockpit's containerized Web server:

    # podman container runlabel --name cockpit-ws run \
     registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/cockpit-ws:latest
  4. To run the Cockpit's Web server on each ALP boot, enable its service:

    # systemctl enable cockpit.service
  5. To view the Cockpit Web user interface, point your Web browser to the following address and accept the self-signed certificate:

    https://HOSTNAME_OR_IP_OF_ALP_HOST:9090
    Cockpit running on ALP
    Figure 4.5: Cockpit running on ALP

4.9.4 Next steps

Adding more functionality to Cockpit

4.9.6.1 Introduction

After you deploy Cockpit on the Adaptable Linux Platform (ALP), it already provides a default functionality. The following sections describe how to extend it by installing additional Cockpit extensions. Note that you need to reboot ALP to apply the changes.

Important
Important

Some packages described in this article are available from the ALP-Build repository which may be disabled by default. To make sure the repository is enabled, run the following command:

# zypper mr -e ALP-Build && refresh

4.9.6.2 Metrics

To enable the visualization of some current metrics, install the PCP extension:

# transactional-update pkg install cockpit-pcp
# reboot
Metrics and history in Cockpit
Figure 4.6: Metrics and history in Cockpit

4.9.6.3 Software updates

To be able to perform transactional software updates from Cockpit, install the cockpit-tukit package:

# transactional-update pkg install cockpit-tukit
# reboot
Software Updates in Cockpit
Figure 4.7: Software updates in Cockpit

4.9.6.4 Storage devices

To manage local storage devices and their associated technologies, install the cockpit-storaged package:

# transactional-update pkg install cockpit-storaged
# reboot
Storage in Cockpit
Figure 4.8: Storage in Cockpit