Podman

From Gentoo Wiki
(Redirected from Libpod)
Jump to:navigation Jump to:search
This article is a stub. You can help by expanding it.

podman is a daemonless container engine for developing, managing, and running OCI Containers on linux.

podman aims to be a drop-in replacement for docker for most user applications running docker images, setting alias docker=podman should be enough for most pipelines to switch to podman[1]. buildah and skopeo are other tools which provide the other parts of the docker stack not provided by podman, such as building and distributing images[2].

Installation

Kernel

Important
Kernel version 3.10 or greater is recommended[3].

As of podman 1.3.2 and runc 1.0.0_rc8, there is no built-in kernel config check included. However, the runc upstream provides a method of listing its required kernel configuration via check-config.sh script

Note
Some of the config options from the check-config.sh script are deprecated. They are safe to ignore.

Rootless mode

user namespaces have to be enabled in order to use the rootless mode. Many docker images make use of fuse and overlayfs, which also need to be enabled:

KERNEL Enable support for podman
General setup  --->
    -*- Namespaces support  --->
        [*]  User namespace
File systems  --->
    <*> FUSE (Filesystem in Userspace) support
    <*> Overlay filesystem support

USE flags

USE flags for app-emulation/podman Library and podman tool for running OCI-based containers in Pods

apparmor Enable AppArmor support.
btrfs Enables dependencies for the "btrfs" graph driver, including necessary kernel flags.
fuse Enables fuse dependencies (fuse-overlayfs is especially useful for rootless mode).
rootless Enables dependencies for running in rootless mode.
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur

Emerge

It is recommended to use app-emulation/crun as the OCI runtime provider, bug #723080.

root #emerge --ask --oneshot app-emulation/crun
root #emerge --ask app-emulation/podman

Configuration

Files

  • /etc/containers/registries.conf - Specifies which container registries should be searched for images.
  • /etc/containers/policy.json - Defines policies for image validation.

Defaults are provided as /etc/containers/registries.conf.example and /etc/containers/policy.json.example.

Rootless mode

podman requires the user to have a range of UIDs listed in /etc/subuid and /etc/subgid files. These UIDs are used for mapping the container UIDs to the host UIDs via user namespaces.

It is possible to edit them manually, although the recommended way is using usermod:

root #usermod --add-subuids 1065536-1131071 --add-subgids 1065536-1131071 larry

podman needs the tun kernel module to be present and loaded for allowing rootless mode to access networking.

FILE /etc/modules-load.d/networking.confLoad tun module
tun

Usage

The podman tool aims to be a drop-in replacement for docker client provided by Docker. For example, docker run becomes podman run and docker build becomes podman build.

All Container Pod-related actions are accessible via podman pod command.

Exposing containers to local network

By default, podman works in bridge mode with a separate cni-podman0 bridge, and then requests are translated to local network via NAT. It is possible to give pods/containers real ips on the local network using macvlan mode.

First enable and start the cni-dhcp daemon:

root #rc-update cni-dhcp add default
root #rc-service cni-dhcp start

Add a new network config for podman to support macvlan networks.

FILE /etc/cni/net.d/88-macvlan.conflist
{
  "cniVersion": "0.4.0",
  "name": "macvlan",
  "plugins": [
    {
      "type": "macvlan",
      "master": "br0",
      "isGateway": true,
      "ipam": {
        "type": "dhcp"
      }
    },
    {
      "type": "portmap",
      "capabilities": {
        "portMappings": true
      }
    },
    {
      "type": "firewall"
    },
    {
      "type": "tuning"
    }
  ]
}

Here it is assumed that there is an externally configured bridge br0 already in existence. It might be possible to use an existing ethernet device, such as enp5s0f0 and attach to it.

Now it is possible to create a pod with this network:

root #podman pod create --name homeserver --network macvlan

As an example to see that the pod now has the proper configuration, an alpine test container can be run inside this pod:

root #podman run -dt --pod homeserver --name alpine_test docker.io/library/alpine:latest top
root #podman exec alpine_test ifconfig

eth0      Link encap:Ethernet  HWaddr 3A:09:C6:B8:7F:DB
          inet addr:192.168.2.121  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::3809:c6ff:feb8:7fdb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:121 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:31480 (30.7 KiB)  TX bytes:2402 (2.3 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


Troubleshooting

Not enough namespaces

When running a container an error appears: error creating libpod runtime: there might not be enough IDs available in the namespace.

In this case, increase the number of user namespaces permanently via a kernel setting:

FILE /etc/sysctl.d/local.conf
user.max_user_namespaces=15076

See also

References

  1. What is podman?. Retrieved on January 17, 2021
  2. A Comprehensive Container Runtime Comparison, Retrieved on January 18, 2021
  3. Container Specification - v1, github. Retrieved on August 11, 2019