OpenShift Commons - Adopting Podman, Skopeo and Buildah for Building and Managing Containers
1 like183 views
The document discusses the adoption of Red Hat's container tools, including Podman, Buildah, Skopeo, and Clair, highlighting their benefits for end-to-end container build processes. Key use cases include transitioning from Docker to Podman, managing secure base images, and utilizing universal base images for application development. The document also outlines installation and usage instructions for these tools, emphasizing rootless container management and resources for further learning.
OpenShift Commons - Adopting Podman, Skopeo and Buildah for Building and Managing Containers
- 1. Lessons Learned Adopting RHEL Container Tools Podman, Buildah, Quay, Skopeo, Clair and S2I Mihai Criveti, CTO & STSM, RHCA, IBM Elif Mosessohn-Samedin, RHCA II, Take off Labs 1
- 2. Agenda and Introduction Use Case: Team Driven End-to-End Container Build Podman, Skopeo and Buildah Resources and Links 2
- 4. Overview Adopting Podman for end-to-end container run and build. Use cases: • Understand the impact of SELinux, namespaces and cgroups. • Move from docker-compose to Podman pods. • Build container images for OpenShift Container Platform. 3
- 5. Speaker Overview Mihai CRIVETI Mihai builds containers for fun and profit, sometimes in the cloud, sometimes in his home datacenter, when the weather is cold. He’s also a Red Hat Certified Architect and the CTO and Senior Technical Staff Member for Cloud Native and Red Hat Solutions at IBM, where he builds multi-cloud solutions based on Red Hat OpenShift. Elif MOSESSOHN-SAMEDIN DevOps (Automation) Engineer with experience in Infrastructure Optimization and Management. Red Hat Certified Architect in Infrastructure and ITIL Certified in IT Service Management. Advocate for Continuous Learning, Open Source Communities, and Technical Innovation. 4
- 6. Use Case: Team Driven End-to-End Container Build
- 7. Breaking this up • Elif is responsible for developing the secure base images and pushing them to a private registry. • Mihai is responsible for building applications using the provided images. 5
- 8. Podman, Skopeo and Buildah
- 9. Podman Overview What is Podman? Figure 1: Podman - Manage pods, containers and OCI compliant container images How is Podman different? • Can be run as a regular user without requiring root. • Can manage pods (groups of one or more containers that operate together). • Lets you import Kubernetes definitions using podman play. • Fork-exec model instead of client-server model (containers are child processes of podman). • Compatible with Docker, Docker Hub or any OCI compliant container implementation. 6
- 10. Buildah What is Buildah? Figure 2: Buildah - Build container images from CLI or Dockerfiles How is Buildah different? • Containers can be build using simple CLI commands or shell scripts instead of Dockerfiles. • Images can then be pushed to any container registry and can be used by any container engine, including Podman, CRI-O, and Docker. • Buildah is also often used to securely build containers while running inside of a locked down container by a tool like Podman, OpenShift/Kubernetes or Docker. 7
- 11. Skopeo What is Skopeo? Figure 3: skopeo - inspect and copy containers and images between different storage How does Skopeo help? • It can copy images to and from a host, as well as to other container environments and registries. • Skopeo can inspect images from container image registries, get images and image layers, and use signatures to create and verify images. 8
- 12. Red Hat Image Sources Explained Red Hat Software Collections Library (RHSCL) • For developers that need the latest versions of tools not in the RHEL release schedule. • Use the latest development tools without impacting RHEL. • Available to all RHEL subscribers. Red Hat Container Catalog (RHCC) • Certified, curated and texted images built on RHEL. • Images have gone through a QA process. • Upgraded on a regular bases to avoid security vulnerabilities. Quay.io • Public / private container repository. 9
- 13. Universal Base Image - UBI Red Hat Universal Base Image - UBI Figure 4: UBI - Freely distributable OCI compliant secure container base images based on RHEL How does UBI Help? • More than just a base image, UBI provides three base images across RHEL 7 and RHEL 8: ubi, ubi-minimal and ubi-init • And a set of language runtimes (ex: nodejs, ruby, python, php, perl, etc.) • All packages in UBI come from RHEL channels and are supported on RHEL and OpenShift. • Secure by default, maintained and supported by Red Hat. 10
- 14. The Red Hat Container Catalog Certified container images from Red Hat and 3rd party vendors Figure 5: Container Images with a Container Health Index Pulling a container image podman pull registry.access.redhat.com/ubi8/python-38 11
- 15. Podman Compose What is podman-compose? • An implementation of docker-compose with Podman backend. When and why use podman-compose? • run unmodified docker-compose.yaml files, rootless • no daemon or setup required • Only depends on podman, Python 3 and PyYAML. When NOT to use podman-compose? • When you can use podman pod or podman generate and podman play‘ instead to create pods or import Kubernetes definitions. • For single-machine development, consider CodeReady Containers • For multi-node clusters, check out Red Hat OpenShift, Kubernetes or OKD. Getting podman-compose • macOS • Windows 12
- 16. Install Podman, Skopeo and Buildah Fedora 33 / RHEL 8 # Install podman, buildah and skopeo on Fedora 33 sudo dnf -y install podman buildah skopeo slirp4netns fuse-overlayfs Ubuntu / Debian sudo apt update && sudo apt -y install podman buildah skopeo Getting Help podman version podman --help # list available commands man podman-ps # or commands like run, rm, rmi, image, build podman info # display podman system information https://podman.io/getting-started/installation 13
- 17. Rootless Containers and cgroup v2 Note that our regular user has UID 1000 uid=1000(cmihai) gid=1000(cmihai) groups=1000(cmihai) What are UIDs mapped to inside the container? podman unshare cat /proc/self/uid_map 0 1000 1 1 100000 65536 UID 0 is mapped my UID (1000). UID 1 is mapped to 100000, UID 2 would map to 100001, etc. That means that a container UID of 27 would map to UID 1000026. Let’s test this mkdir test && podman unshare chown 27:27 test ls -ld test drwxrwxr-x. 2 100026 100026 4096 Sep 27 09:38 test 14
- 20. Getting started with Podman • https://podman.io/getting-started/ • https://github.com/containers/buildah • https://github.com/containers/skopeo • https://developers.redhat.com/products/rhel/ubi • https://quay.io/ • https://www.katacoda.com/courses/containers-without-docker/running-containers-with-podman • https://developers.redhat.com/products/codeready-containers/overview 16