Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Basic Container Management Using Podman

Basic Container Management Using Podman

Publication Date: 28 Sep 2024
WHAT?

Containers offer a lightweight virtualization method to run multiple virtual environments (containers) simultaneously on a single host. Podman is the default tool on SUSE Linux Enterprise Micro to manage the containers.

WHY?

The article provides basic information about Podman and explains how it can be used to manage containers.

EFFORT

It takes about 30 minutes to read the article.

GOAL

You will understand Podman, container images and containers.

REQUIREMENTS
  • Installed Podman

1 Basics about containers

Containers offer a lightweight virtualization method to run multiple virtual environments (containers) simultaneously on a single host. Unlike technologies such as Xen or KVM, where the processor simulates a complete hardware environment and a hypervisor controls virtual machines, containers provide virtualization on the operating system level, where the kernel controls the isolated containers.

Advantages of using containers
  • Containers make it possible to isolate applications in self-contained units.

  • Containers provide near-native performance. Depending on the runtime, a container can use the host kernel directly, thus minimizing overhead.

  • It is possible to control network interfaces and apply resources limits inside containers through kernel control groups.

Limitations of containers
  • Containers run on the host system's kernel, so they cannot use different kernels or different kernel versions.

  • The security of containers depends on the host system. Containerized applications can be secured through AppArmor or SELinux profiles. Securing containers is harder than securing virtual machines because of the larger attack surface.

2 About Podman

Podman is a short name for Pod Manager Tool. It is a daemonless container engine that enables you to run and deploy applications using containers and container images. Podman provides a command-line interface to manage containers.

As Podman does not have a daemon, it provides integration with systemd. This makes it possible to control containers via systemd units. You can create these units for existing containers as well as generate units that can start containers if they do not exist in the system. Podman can run systemd inside containers.

Podman enables you to organize your containers into pods. Pods share the same network interface and resources. A typical use case for organizing a group of containers into a pod is a container that runs a database and a container with a client that accesses the database.

2.1 Installation of Podman

Podman is included in SLE Micro by default. However, if Podman is missing, you can install it as described below:

  1. Run the command:

    > sudo transactional-update pkg install podman
  2. Restart your system to boot into the new snapshot.

3 Getting container images

To run a container, you need an image. An image includes all dependencies needed to run an application. You can obtain images from an image registry. Available registries are defined in the /etc/containers/registries.conf configuration file. If you have a local image registry or want to use other registries, add the registries into the configuration file.

Important
Important: No tools for building images in SUSE Linux Enterprise Micro

SUSE Linux Enterprise Micro does not provide tools for building custom images. Therefore, the only way to get an image is to pull it from an image registry.

Note
Note: openSUSE registry and Docker Hub not enabled by default

The openSUSE registry and Docker Hub are not configured in the default installation. To download container images from those registries, you need to add the registries to the /etc/containers/registries.conf file as follows:

unqualified-search-registries = ["registry.suse.com", "registry.opensuse.org", "docker.io"]

The podman pull command pulls an image from an image registry. The syntax is as follows:

# podman pull [OPTIONS] SOURCE

The source can be an image without the registry name. In that case, Podman tries to pull the image from all registries configured in the /etc/containers/registries.conf file. The default image tag is latest. The default location of pulled images is /var/lib/containers/storage/overlay-images/.

To view all possible options of the podman pull command, run:

# podman pull --help
Note
Note: Getting images using Cockpit

If you are using Cockpit, you can also pull images from an image registry in the Podman containers menu by clicking + Get new image.

Podman enables you to search for images in an image registry or a list of registries using the command:

# podman search IMAGE_NAME

Alternatively, you can use the skopeo tool to manage container images and image repositories. For details, refer to the following section.

3.1 skopeo

skopeo is a command-line utility for managing, inspecting and signing container images and image repositories. skopeo allows you to inspect containers and repositories on remote and local container registries, and also facilitates copying container images between different storage back-ends.

skopeo works with the following registry types:

containers-storage:IMAGE_REFERENCE

An image located in a local image store.

docker://IMAGE_REFERENCE

An image in a registry.

skopeo provides several commands to manage images and registries:

inspect

The command fetches the repository manifest and can show you information like tags available for the specified repository, labels of a container image, the operating system of an image, and so on.

The command has the following syntax:

> skopeo inspect REGISTRY_TYPEIMAGE_NAME

An example of usage follows:

> skopeo inspect docker://registry.suse.com/suse/pcp:latest
{
  "Name": "registry.suse.com/suse/pcp",
  "Digest": "sha256:eee17c009fb8b05e5825a8c9658d972ab13a17541180bd7a1348fccc6e4fc77f",
  "RepoTags": [
      "5",
      "5-12.54",
      "5-13.10",
      ...
      ],
  "Created": "2023-06-19T16:59:01.617731565Z",
  "DockerVersion": "20.10.23-ce",
  "Labels": {
      "com.suse.application.pcp.created": "2023-06-19T16:58:29.786850402Z",
      "com.suse.application.pcp.description": "Performance Co-Pilot (pcp) container image based on the SLE Base Container Image. This container image is not supported when using a container runtime other than podman.",
      ...
      ],
      "Architecture": "amd64",
  "Os": "linux",
  "Layers": [
      "sha256:a05e4c4d1fc89c7f7aa60829b8631b64873df6041f627eb2b43524e9e010446e",
      "sha256:19793da49ce886a67aa62657dc24a105a26d63568ce27de241246bc6cc9bc008",
      "sha256:403f9ef6c98d4cf277caf3166ca4455817828e33c8b699237bb8eb24cb2b41bf"
  ],
  "LayersData": [
      {
          "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
          "Digest": "sha256:a05e4c4d1fc89c7f7aa60829b8631b64873df6041f627eb2b43524e9e010446e",
          "Size": 47291175,
          "Annotations": null
      },
      ...
  ],
  "Env": [
      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
copy

The command enables you to copy container images between registries, container storage back-ends and local directories.

An example of usage follows:

> skopeo copy oci:busybox_ocilayout:latest dir:existingemptydirectory
delete

To mark an image for later removal by the registry's garbage collector.

          > skopeo delete docker://registry.example.com/example/pause:latest
sync

To synchronize images between registry repositories and local directories.

4 Working with containers

4.1 Running containers

After you have pulled your container image, you can create containers based on it. You can run an instance of the image using the podman run command. The command syntax is as follows:

# podman run [OPTIONS] IMAGE [CONTAINER_NAME]

IMAGE is specified in the format transport:path. If transport is omitted, the default docker is used. The path can reference a specific image registry. If omitted, Podman searches for the image in registries defined in the /etc/containers/registries.conf file. An example that runs a container called sles15 based on the sle15 image follows:

# podman run registry.opensuse.org/suse/templates/images/sle-15-sp4/base/images/suse/sle15 sles15

Below is a list of frequently used options. For a complete list of available options, run the command: podman run --help.

--detach, -d

The container will run in the background.

--env, -e=env

This option allows arbitrary environment variables that are available for the process to be launched inside of the container. If an environment variable is specified without a value, Podman will check the host environment for a value and set the variable only if it is set on the host.

--help

Prints help for the podman run command.

--hostname=name, -h

Sets the container host name that is available inside the container.

--pod=name

Runs the container in an existing pod. To create a pod, prefix the pod name with new:.

--read-only

Mounts the container’s root file system as read-only.

--systemd=true|false|always

Runs the container in systemd mode. The default is true.

4.2 Listing containers

Podman enables you to list all running containers using the podman ps command. The generic syntax of the command is as follows:

# podman  ps [OPTIONS]

Command options can change the displayed information. For example, using the --all option will output all containers created by Podman (not only the running containers).

For a complete list of podman ps options, run:

# podman ps --help

4.3 Stopping containers

If the podman run command finished successfully, a new container has been started. You can stop the container by running:

# podman stop [OPTIONS] CONTAINER

You can specify a single container name or ID or a space-separated list of containers. The command takes the following options:

--all, -a

Stops all running containers.

--latest, -l

Instead of providing a container name, the last created container will be stopped.

--time, -t=seconds

Seconds to wait before forcibly stopping the container.

To view all possible options of the podman stop command, run the following:

# podman stop --help

4.4 Starting containers

To start already created but stopped containers, use the podman start command. The command syntax is as follows:

# podman start [OPTIONS] CONTAINER

CONTAINER can be a container name or a container ID.

For a complete list of possible options of podman start, run the command:

# podman start --help

4.4.1 Committing modified containers

You can run a new container with specific attributes that are not part of the original image. To save the container with these attributes as a new image, you can use the podman commit command:

# podman commit [OPTIONS] CONTAINER IMAGE

CONTAINER is a container name or a container ID. IMAGE is the new image name. If the image name does not start with a registry name, the value localhost is used.

4.5 Removing containers

To remove one or more unused containers from the host, use the podman rm command as follows:

# podman rm [OPTIONS] CONTAINER

CONTAINER can be a container name or a container ID.

The command does not remove the specified container if the container is running. To remove a running container, use the -f option.

For a complete list of podman rm options, run:

# podman rm --help
Note
Note: Deleting all stopped containers

You can delete all stopped containers from your host with a single command:

# podman container prune

Make sure that each stopped container is intended to be removed before you run the command, otherwise you might remove containers that are still in use and were stopped only temporarily.

5 Working with pods

Containers can be grouped into a pod. The containers in the pod then share network, pid and IPC namespace. Pods can be managed by podman pod commands. This section provides an overview of the commands for managing pods.

5.1 Creating pods

The command podman pod create is used to create a pod. The syntax of the command is as follows:

# podman pod create [OPTIONS]

The command outputs the pod ID. By default, the pods are created without being started. You can start a pod by running a container in the pod, or by starting the pod as described in Section 5.3, “Starting/stopping/restarting pods”.

Note
Note: Default pod names

If you do not specify a pod name with the --name option, Podman will assign a default name for the pod.

For a complete list of possible options, run the following command:

# podman pod create --help

5.2 Listing pods

You can list all pods by running the command:

# podman pod list

The output looks as follows:

POD ID        NAME               STATUS   CREATED       # OF CONTAINERS  INFRA ID
30fba506fecb  upbeat_mcclintock  Created  19 hours ago  1                4324f40c9651
976a83b4d88b  nervous_feynman    Running  19 hours ago  2                daa5732ecd02

As each pod includes the INFRA container, the number of containers in a pod is always larger than zero.

5.3 Starting/stopping/restarting pods

After a pod is created, you must start it, as it is not in the state running by default. In the commands below, POD can be a pod name or a pod ID.

To start a pod, run the command:

# podman pod start [OPTIONS] POD

For a complete list of possible options, run:

# podman pod start --help

To stop a pod, use the podman pod stop as follows:

# podman pod stop POD

To restart a pod, use the podman pod restart command as follows:

# podman pod restart POD

5.4 Managing containers in a pod

To add a new container to a pod, use the podman run command with the option --pod. A general syntax of the command follows:

# podman run [OPTIONS] --pod POD_NAME IMAGE

For details about the podman run command, refer to Section 4.1, “Running containers”.

Note
Note: Only new containers can be added to a pod

The podman start command does not allow for starting a container in a pod if the container was not added to the pod during the container's initial running.

You cannot remove a container from a pod and keep the container running, because the container itself is removed from the host.

Other actions like start, restart and stop can be performed on specific containers without affecting the status of the pod.

5.5 Monitoring processes in pods

To view all containers in all pods, use the following command:

# podman ps -a --pod

The output of the command will be similar to the following one:

CONTAINER ID  IMAGE                       COMMAND    CREATED       STATUS                 [...]
4324f40c9651  k8s.gcr.io/pause:3.2                   21 hours ago  Created
daa5732ecd02  k8s.gcr.io/pause:3.2                   22 hours ago  Up 3 hours ago
e5c8e360c54b  localhost/test:latest       /bin/bash  3 days ago    Exited (137) 3 days ago
82dad15828f7  localhost/opensuse/toolbox  /bin/bash  3 days ago    Exited (137) 3 days ago
1a23da456b6f  docker.io/i386/ubuntu       /bin/bash  4 days ago    Exited (0) 6 hours ago
df890193f651  localhost/opensuse/toolbox  /bin/bash  4 days ago    Created

The first two records are the INFRA containers of each pod, based on the k8s.gcr.io/pause:3.2 image. Other containers in the output are stand-alone containers that do not belong to any pod.

5.6 Removing pods

There are two ways to remove pods. You can use the podman pod rm command to remove one or more pods. Alternatively, you can remove all stopped pods using the podman pod prune command.

To remove a pod or several pods, run the podman pod rm command as follows:

# podman pod rm POD

POD can be a pod name or a pod ID.

To remove all currently stopped pods, use the podman pod prune command. Make sure that all stopped pods are intended to be removed before you run the podman pod prune command, otherwise you might remove pods that are still in use.