https://www.redhat.com/ja/interactive-labs/red-hat-enterprise-linux-open-lab
# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.1 (Plow)
# podman version
Client: Podman Engine
Version: 4.4.1
API Version: 4.4.1
Go Version: go1.19.6
Built: Wed Apr 26 16:50:2
# cat /etc/redhat-release
Fedora release 38 (Thirty Eight)
# podman version
Client: Podman Engine
Version: 4.5.1
API Version: 4.5.1
Go Version: go1.20.4
Built: Sat May 27 02:58:19 2023
OS/Arch: linux/arm64
Orginal
$ podman inspect registry.access.redhat.com/ubi8
[
{
...
"Created": "2023-05-03T15:13:33.041360115Z",
"Config": {
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"container=oci"
],
"Cmd": [
"/bin/bash"
],
"Labels": {
"architecture": "x86_64",
"build-date": "2023-05-03T15:02:11",
...
"Architecture": "amd64",
"Os": "linux",
...
]
Check
# podman pull registry.access.redhat.com/ubi8
# podman inspect docker://registry.access.redhat.com/ubi8
[]
Error: inspecting object: no such object: "docker://registry.access.redhat.com/ubi8"
# podman inspect registry.access.redhat.com/ubi8
[
{
"Id": "2ec437f86a60170aae0eddeffb366b09efb6e12e40b9a3f6ea8fb89ab466e50a",
"Digest": "sha256:a7143118671dfc61aca46e8ab9e488500495a3c4c73a69577ca9386564614c13",
"RepoTags": [
"registry.access.redhat.com/ubi8:latest"
],
"RepoDigests": [
"registry.access.redhat.com/ubi8@sha256:754bdb0dcbfd7f779d7b470ba09a186949ac409907bcc5d52941f39c78e12349",
"registry.access.redhat.com/ubi8@sha256:a7143118671dfc61aca46e8ab9e488500495a3c4c73a69577ca9386564614c13"
],
"Parent": "",
"Comment": "",
"Created": "2023-05-03T15:13:34.345380557Z",
"Config": {
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"container=oci"
],
"Cmd": [
"/bin/bash"
],
"Labels": {
"architecture": "aarch64",
"build-date": "2023-05-03T15:02:11",
"com.redhat.component": "ubi8-container",
"com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
"description": "The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
"distribution-scope": "public",
"io.buildah.version": "1.27.3",
"io.k8s.description": "The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
"io.k8s.display-name": "Red Hat Universal Base Image 8",
"io.openshift.expose-services": "",
"io.openshift.tags": "base rhel8",
"maintainer": "Red Hat, Inc.",
"name": "ubi8",
"release": "854",
"summary": "Provides the latest release of Red Hat Universal Base Image 8.",
"url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/images/8.8-854",
"vcs-ref": "384f2bb33eebab960262e967aa16d01fe2dbebff",
"vcs-type": "git",
"vendor": "Red Hat, Inc.",
"version": "8.8"
}
},
"Version": "",
"Author": "",
"Architecture": "arm64",
"Os": "linux",
"Size": 236650190,
"VirtualSize": 236650190,
"GraphDriver": {
"Name": "overlay",
"Data": {
"UpperDir": "/var/lib/containers/storage/overlay/7cd83e46b22234ac775ed33e7b0c18d697f2e124681fd0592e859d2ee17fbcd4/diff",
"WorkDir": "/var/lib/containers/storage/overlay/7cd83e46b22234ac775ed33e7b0c18d697f2e124681fd0592e859d2ee17fbcd4/work"
}
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:7cd83e46b22234ac775ed33e7b0c18d697f2e124681fd0592e859d2ee17fbcd4"
]
},
"Labels": {
"architecture": "aarch64",
"build-date": "2023-05-03T15:02:11",
"com.redhat.component": "ubi8-container",
"com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
"description": "The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
"distribution-scope": "public",
"io.buildah.version": "1.27.3",
"io.k8s.description": "The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
"io.k8s.display-name": "Red Hat Universal Base Image 8",
"io.openshift.expose-services": "",
"io.openshift.tags": "base rhel8",
"maintainer": "Red Hat, Inc.",
"name": "ubi8",
"release": "854",
"summary": "Provides the latest release of Red Hat Universal Base Image 8.",
"url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/images/8.8-854",
"vcs-ref": "384f2bb33eebab960262e967aa16d01fe2dbebff",
"vcs-type": "git",
"vendor": "Red Hat, Inc.",
"version": "8.8"
},
"Annotations": {},
"ManifestType": "application/vnd.docker.distribution.manifest.v2+json",
"User": "",
"History": [
{
"created": "2023-05-03T15:13:25.841205911Z",
"created_by": "/bin/sh -c #(nop) ADD file:d4ce40ed71f93360eb566d5642a6323867424aaf86787f340f7a103eda55b330 in / ",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:27.04632269Z",
"created_by": "/bin/sh -c mv -f /etc/yum.repos.d/ubi.repo /tmp || :",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:27.179838072Z",
"created_by": "/bin/sh -c #(nop) ADD file:214c1de395c24e4a86ef9a706069ef30a9e804c63f851c37c35655e16fea3ced in /tmp/tls-ca-bundle.pem ",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:27.339878473Z",
"created_by": "/bin/sh -c #(nop) ADD multi:62a5ed918ba581cb28e63a96c95a2291910a696c57ec0a22b415b43695503828 in /etc/yum.repos.d/ ",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:27.339904674Z",
"created_by": "/bin/sh -c #(nop) LABEL maintainer=\"Red Hat, Inc.\"",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:27.339957354Z",
"created_by": "/bin/sh -c #(nop) LABEL com.redhat.component=\"ubi8-container\" name=\"ubi8\" version=\"8.8\"",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:27.339978674Z",
"created_by": "/bin/sh -c #(nop) LABEL com.redhat.license_terms=\"https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI\"",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:27.339999594Z",
"created_by": "/bin/sh -c #(nop) LABEL summary=\"Provides the latest release of Red Hat Universal Base Image 8.\"",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:27.340047394Z",
"created_by": "/bin/sh -c #(nop) LABEL description=\"The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.\"",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:27.340070634Z",
"created_by": "/bin/sh -c #(nop) LABEL io.k8s.display-name=\"Red Hat Universal Base Image 8\"",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:27.340084034Z",
"created_by": "/bin/sh -c #(nop) LABEL io.openshift.expose-services=\"\"",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:27.340102635Z",
"created_by": "/bin/sh -c #(nop) LABEL io.openshift.tags=\"base rhel8\"",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:27.340111395Z",
"created_by": "/bin/sh -c #(nop) ENV container oci",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:27.340139435Z",
"created_by": "/bin/sh -c #(nop) ENV PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:27.340143875Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/bash\"]",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:28.715370027Z",
"created_by": "/bin/sh -c rm -rf /var/log/*",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:30.064495043Z",
"created_by": "/bin/sh -c mkdir -p /var/log/rhsm",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:30.064527043Z",
"created_by": "/bin/sh -c #(nop) LABEL release=854",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:30.19888655Z",
"created_by": "/bin/sh -c #(nop) ADD file:d75346724bbdb8ac0fbf886e8b6284850b718d6d12cde397deb478d290e976f0 in /root/buildinfo/content_manifests/ubi8-container-8.8-854.json ",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:30.332759974Z",
"created_by": "/bin/sh -c #(nop) ADD file:b074c0bd056b8f7f73af4c7b56f15e749578916d90897563465e390d1e444b38 in /root/buildinfo/Dockerfile-ubi8-8.8-854 ",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:30.332875534Z",
"created_by": "/bin/sh -c #(nop) LABEL \"distribution-scope\"=\"public\" \"vendor\"=\"Red Hat, Inc.\" \"build-date\"=\"2023-05-03T15:02:11\" \"architecture\"=\"aarch64\" \"vcs-type\"=\"git\" \"vcs-ref\"=\"384f2bb33eebab960262e967aa16d01fe2dbebff\" \"io.k8s.description\"=\"The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.\" \"url\"=\"https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/images/8.8-854\"",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:31.785802976Z",
"created_by": "/bin/sh -c rm -f '/etc/yum.repos.d/repo-700b5.repo' '/etc/yum.repos.d/repo-cb269.repo'",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:33.005936793Z",
"created_by": "/bin/sh -c rm -f /tmp/tls-ca-bundle.pem",
"empty_layer": true
},
{
"created": "2023-05-03T15:13:34.872725291Z",
"created_by": "/bin/sh -c mv -fZ /tmp/ubi.repo /etc/yum.repos.d/ubi.repo || :"
}
],
"NamesHistory": [
"registry.access.redhat.com/ubi8:latest"
]
}
]
Original
$ skopeo inspect --raw docker://registry.access.redhat.com/ubi8
{
"manifests": [
{
"digest": ➥"sha256:0a342233b8a501dc2e46b943ad75bedb396ff6bc27dfc02665fd2014ebd87f8d",
"mediaType": ➥"application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "amd64",
"os": "linux"
},
"size": 429
},
{
"digest": ➥"sha256:754bdb0dcbfd7f779d7b470ba09a186949ac409907bcc5d52941f39c78e12349",
"mediaType": ➥"application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "arm64",
"os": "linux"
},
"size": 429
},
...
}
Check
# skopeo inspect --raw docker:/ /registry.access.redhat.com/ubi8
FATA[0000] Exactly one argument expected
# skopeo inspect --raw docker://registry.access.redhat.com/ubi8
{
"manifests": [
{
"digest": "sha256:0a342233b8a501dc2e46b943ad75bedb396ff6bc27dfc02665fd2014ebd87f8d",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "amd64",
"os": "linux"
},
"size": 429
},
{
"digest": "sha256:754bdb0dcbfd7f779d7b470ba09a186949ac409907bcc5d52941f39c78e12349",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "arm64",
"os": "linux"
},
"size": 429
},
{
"digest": "sha256:1f291fd0af207ef12964d093349ee3240b932d4b193108ef84dd560fe95c9c24",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "ppc64le",
"os": "linux"
},
"size": 429
},
{
"digest": "sha256:2e6a3e175ce75a91780d346bac9004dc961c8c3ccd89ecccd982a9ea88f09f8b",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "s390x",
"os": "linux"
},
"size": 429
}
],
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"schemaVersion": 2
Original
$ podman pull ubi8/httpd-24
? Please select an image:
registry.fedoraproject.org/ubi8/httpd-24:latest
▸ registry.access.redhat.com/ubi8/httpd-24:latest docker.io/ubi8/httpd-24:latest quay.io/ubi8/httpd-24:latest
Check
- RHEL 9.1/Podman 4.4.1
$ podman pull ubi8/httpd-24
Resolved "ubi8/httpd-24" as an alias (/etc/containers/registries.conf.d/001-rhel-shortnames.conf)
Trying to pull registry.redhat.io/ubi8/httpd-24:latest...
Error: initializing source docker://registry.redhat.io/ubi8/httpd-24:latest: unable to retrieve auth token: invalid username/password: unauthorized: Please login to the Red Hat Registry us
$ cat /etc/containers/registries.conf.d/* | grep ubi8/httpd-24
"ubi8/httpd-24" = "registry.redhat.io/ubi8/httpd-24"
- Fedora 38/Podman 4.5.1
podman pull ubi8/httpd-24
? Please select an image:
registry.fedoraproject.org/ubi8/httpd-24:latest
▸ registry.access.redhat.com/ubi8/httpd-24:latest
docker.io/ubi8/httpd-24:latest
quay.io/ubi8/httpd-24:latest
Original
$ podman run -ti --rm registry.access.redhat.com/ubi8/httpd-24 bash
Check
# podman run -ti --rm registry.access.redhat.com/ubi8/httpd-24 bash
Trying to pull registry.access.redhat.com/ubi8/httpd-24:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob dc5bc235f26c done
Copying blob 9bbbde070cc8 done
Copying blob 992b74ad6a0c done
Copying config 0db7544391 done
Writing manifest to image destination
Storing signatures
bash-4.4$
Original
bash-4.4$ grep PRETTY_NAME /etc/os-release
PRETTY_NAME="Red Hat Enterprise Linux 8.4 (Ootpa)"
Check
grep PRETTY_NAME /etc/os-release
PRETTY_NAME="Red Hat Enterprise Linux 8.8 (Ootpa)"
Original
ls /usr/bin | wc -l
525
Check
bash-4.4$ ls /usr/bin | wc -l
524
$ podman run -d -p 8080:8080 --name myapp registry.access.redhat.com/ubi8/httpd-24
37a1d2e31dbf4fa311a5ca6453f53106eaae2d8b9da264015cc3f8864fac22
$ podman port myapp
8080/tcp -> 0.0.0.0:8080
$ podman run -d -p 8081:8080 --name myapp1 registry.access.redhat.com/ubi8/httpd-24
8bd5e05b748a4d25d42992371fb0294fc9f7cb4f92811a4f62d298083779ad16
Original
$ podman stop myapp
Check
$ podman stop myapp
myapp
Original
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED \
➥ STATUS PORTS NAMES
b1255e94d084 registry.access.redhat.com/ubi8/httpd-24:latest /usr/bin/run-\
➥ http... 6 minutes ago Up 4 minutes ago 0.0.0.0:8080->8080/tcp myapp
Check
podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
dda54f7e59ce registry.access.redhat.com/ubi8/httpd-24:latest /usr/bin/run-http... About a minute ago Up About a minute 0.0.0.0:8080->8080/tcp myapp
Original
$ podman ps --all
CONTAINER ID IMAGE COMMAND CREATED \
➥ STATUS PORTS NAMES
b1255e94d084 registry.access.redhat.com/ubi8/httpd-24:latest /usr/bin/run-\
➥ http... 9 minutes ago Up 8 minutes ago 0.0.0.0:8080->8080/tcp myapp 3efee4d39965 registry.access.redhat.com/ubi8/httpd-24:latest /usr/bin/run-\
➥ http... 7 minutes ago Exited (0) 3 minutes ago 0.0.0.0:8081->8080/tcp myapp1
Check
podman ps --all
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
dda54f7e59ce registry.access.redhat.com/ubi8/httpd-24:latest /usr/bin/run-http... About a minute ago Up About a minute 0.0.0.0:8080->8080/tcp myapp
618d2a47b602 registry.access.redhat.com/ubi8/httpd-24:latest /usr/bin/run-http... 44 seconds ago Exited (0) 15 seconds ago 0.0.0.0:8081->8080/tcp myapp1
Original
$ podman inspect myapp
[
{
"Id": "7f602f943a16e2356c119776c7e10589bf4708839c78db434602c73ac7783739",
"Created": "2023-05-15T23:24:46.403999901+09:00",
"Path": "container-entrypoint",
"Args": [
"/usr/bin/run-httpd"
],
…
]
Check
podman inspect myapp
[
{
"Id": "dda54f7e59ce82411ce3060ba2436e5726ec521cb3e231d553a612e5b941c770",
"Created": "2023-06-11T05:14:33.935722126+09:00",
"Path": "container-entrypoint",
"Args": [
"/usr/bin/run-httpd"
],
"State": {
"OciVersion": "1.1.0-rc.1",
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 2517,
"ConmonPid": 2515,
"ExitCode": 0,
"Error": "",
"StartedAt": "2023-06-11T05:14:34.235780322+09:00",
"FinishedAt": "0001-01-01T00:00:00Z",
"Health": {
"Status": "",
"FailingStreak": 0,
"Log": null
},
"CgroupPath": "/machine.slice/libpod-dda54f7e59ce82411ce3060ba2436e5726ec521cb3e231d553a612e5b941c770.scope",
"CheckpointedAt": "0001-01-01T00:00:00Z",
"RestoredAt": "0001-01-01T00:00:00Z"
},
"Image": "0db75443916a2a5e8ec8c74b8715ab619d1cf24cdb9e06c54877e13e6f96ed1a",
"ImageDigest": "sha256:9dd49070b544a521a5277337e367711dcbdecc51a23db6d532e3fd7ee00e2d2a",
"ImageName": "registry.access.redhat.com/ubi8/httpd-24:latest",
"Rootfs": "",
"Pod": "",
"ResolvConfPath": "/run/containers/storage/overlay-containers/dda54f7e59ce82411ce3060ba2436e5726ec521cb3e231d553a612e5b941c770/userdata/resolv.conf",
"HostnamePath": "/run/containers/storage/overlay-containers/dda54f7e59ce82411ce3060ba2436e5726ec521cb3e231d553a612e5b941c770/userdata/hostname",
"HostsPath": "/run/containers/storage/overlay-containers/dda54f7e59ce82411ce3060ba2436e5726ec521cb3e231d553a612e5b941c770/userdata/hosts",
"StaticDir": "/var/lib/containers/storage/overlay-containers/dda54f7e59ce82411ce3060ba2436e5726ec521cb3e231d553a612e5b941c770/userdata",
"OCIConfigPath": "/var/lib/containers/storage/overlay-containers/dda54f7e59ce82411ce3060ba2436e5726ec521cb3e231d553a612e5b941c770/userdata/config.json",
"OCIRuntime": "crun",
"ConmonPidFile": "/run/containers/storage/overlay-containers/dda54f7e59ce82411ce3060ba2436e5726ec521cb3e231d553a612e5b941c770/userdata/conmon.pid",
"PidFile": "/run/containers/storage/overlay-containers/dda54f7e59ce82411ce3060ba2436e5726ec521cb3e231d553a612e5b941c770/userdata/pidfile",
"Name": "myapp",
"RestartCount": 0,
"Driver": "overlay",
"MountLabel": "system_u:object_r:container_file_t:s0:c231,c272",
"ProcessLabel": "system_u:system_r:container_t:s0:c231,c272",
"AppArmorProfile": "",
"EffectiveCaps": null,
"BoundingCaps": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_KILL",
"CAP_NET_BIND_SERVICE",
"CAP_SETFCAP",
"CAP_SETGID",
"CAP_SETPCAP",
"CAP_SETUID",
"CAP_SYS_CHROOT"
],
"ExecIDs": [],
"GraphDriver": {
"Name": "overlay",
"Data": {
"LowerDir": "/var/lib/containers/storage/overlay/8e7b45fa59d088a5ddb3602139fa066f00528111af6619dc6a1f3ca3c75099a1/diff:/var/lib/containers/storage/overlay/1071e9b050d5c96e077b806896bc5fa7746b05992679dd7eab9f580fe97453f2/diff:/var/lib/containers/storage/overlay/7cd83e46b22234ac775ed33e7b0c18d697f2e124681fd0592e859d2ee17fbcd4/diff",
"MergedDir": "/var/lib/containers/storage/overlay/19a0a21304814eb426f54263f18f32d77a6a8cc7a6f357f5fa4857c5d4a83d62/merged",
"UpperDir": "/var/lib/containers/storage/overlay/19a0a21304814eb426f54263f18f32d77a6a8cc7a6f357f5fa4857c5d4a83d62/diff",
"WorkDir": "/var/lib/containers/storage/overlay/19a0a21304814eb426f54263f18f32d77a6a8cc7a6f357f5fa4857c5d4a83d62/work"
}
},
"Mounts": [],
"Dependencies": [],
"NetworkSettings": {
"EndpointID": "",
"Gateway": "10.88.0.1",
"IPAddress": "10.88.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "fe:2e:d2:b1:e3:49",
"Bridge": "",
"SandboxID": "",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"8080/tcp": [
{
"HostIp": "",
"HostPort": "8080"
}
],
"8443/tcp": null
},
"SandboxKey": "/run/netns/netns-0c35e4a9-fc8a-aa0d-9256-49e2ceebef9b",
"Networks": {
"podman": {
"EndpointID": "",
"Gateway": "10.88.0.1",
"IPAddress": "10.88.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "fe:2e:d2:b1:e3:49",
"NetworkID": "podman",
"DriverOpts": null,
"IPAMConfig": null,
"Links": null,
"Aliases": [
"dda54f7e59ce"
]
}
}
},
"Namespace": "",
"IsInfra": false,
"IsService": false,
"Config": {
"Hostname": "dda54f7e59ce",
"Domainname": "",
"User": "1001",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"TERM=xterm",
"HTTPD_CONFIGURATION_PATH=/opt/app-root/etc/httpd.d",
"PLATFORM=el8",
"HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d",
"HTTPD_DATA_PATH=/var/www",
"STI_SCRIPTS_URL=image:///usr/libexec/s2i",
"PATH=/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HTTPD_DATA_ORIG_PATH=/var/www",
"SUMMARY=Platform for running Apache httpd 2.4 or building httpd-based application",
"STI_SCRIPTS_PATH=/usr/libexec/s2i",
"HTTPD_LOG_PATH=/var/log/httpd",
"HTTPD_VAR_RUN=/var/run/httpd",
"HTTPD_MAIN_CONF_MODULES_D_PATH=/etc/httpd/conf.modules.d",
"HTTPD_VERSION=2.4",
"HOME=/opt/app-root/src",
"HTTPD_APP_ROOT=/opt/app-root",
"container=oci",
"HTTPD_TLS_CERT_PATH=/etc/httpd/tls",
"HTTPD_MAIN_CONF_PATH=/etc/httpd/conf",
"HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/",
"DESCRIPTION=Apache httpd 2.4 available as container, is a powerful, efficient, and extensible web server. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Virtual hosting allows one Apache installation to serve many different Web sites.",
"APP_ROOT=/opt/app-root",
"HOSTNAME=dda54f7e59ce"
],
"Cmd": [
"/usr/bin/run-httpd"
],
"Image": "registry.access.redhat.com/ubi8/httpd-24:latest",
"Volumes": null,
"WorkingDir": "/opt/app-root/src",
"Entrypoint": "container-entrypoint",
"OnBuild": null,
"Labels": {
"architecture": "aarch64",
"build-date": "2023-05-19T10:09:35",
"com.redhat.component": "httpd-24-container",
"com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
"description": "Apache httpd 2.4 available as container, is a powerful, efficient, and extensible web server. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Virtual hosting allows one Apache installation to serve many different Web sites.",
"distribution-scope": "public",
"io.buildah.version": "1.27.3",
"io.k8s.description": "Apache httpd 2.4 available as container, is a powerful, efficient, and extensible web server. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Virtual hosting allows one Apache installation to serve many different Web sites.",
"io.k8s.display-name": "Apache httpd 2.4",
"io.openshift.expose-services": "8080:http,8443:https",
"io.openshift.s2i.scripts-url": "image:///usr/libexec/s2i",
"io.openshift.tags": "builder,httpd,httpd-24",
"io.s2i.scripts-url": "image:///usr/libexec/s2i",
"maintainer": "SoftwareCollections.org <sclorg@redhat.com>",
"name": "rhel8/httpd-24",
"release": "263.1684490927",
"summary": "Platform for running Apache httpd 2.4 or building httpd-based application",
"url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel8/httpd-24/images/1-263.1684490927",
"usage": "s2i build https://github.com/sclorg/httpd-container.git --context-dir=examples/sample-test-app/ rhel8/httpd-24 sample-server",
"vcs-ref": "4e1ee65cbf88c38b88e7713f252dac650ab9d78d",
"vcs-type": "git",
"vendor": "Red Hat, Inc.",
"version": "1"
},
"Annotations": {
"io.container.manager": "libpod",
"org.opencontainers.image.stopSignal": "15"
},
"StopSignal": 15,
"HealthcheckOnFailureAction": "none",
"CreateCommand": [
"podman",
"run",
"-d",
"-p",
"8080:8080",
"--name",
"myapp",
"registry.access.redhat.com/ubi8/httpd-24"
],
"Umask": "0022",
"Timeout": 0,
"StopTimeout": 10,
"Passwd": true,
"sdNotifyMode": "container"
},
"HostConfig": {
"Binds": [],
"CgroupManager": "systemd",
"CgroupMode": "private",
"ContainerIDFile": "",
"LogConfig": {
"Type": "journald",
"Config": null,
"Path": "",
"Tag": "",
"Size": "0B"
},
"NetworkMode": "bridge",
"PortBindings": {
"8080/tcp": [
{
"HostIp": "",
"HostPort": "8080"
}
]
},
"RestartPolicy": {
"Name": "",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": [],
"CapDrop": [],
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": [],
"GroupAdd": [],
"IpcMode": "shareable",
"Cgroup": "",
"Cgroups": "default",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "private",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": [],
"Tmpfs": {},
"UTSMode": "private",
"UsernsMode": "",
"ShmSize": 65536000,
"Runtime": "oci",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DiskQuota": 0,
"KernelMemory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": 0,
"OomKillDisable": false,
"PidsLimit": 2048,
"Ulimits": [
{
"Name": "RLIMIT_NOFILE",
"Soft": 1048576,
"Hard": 1048576
},
{
"Name": "RLIMIT_NPROC",
"Soft": 4194304,
"Hard": 4194304
}
],
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"CgroupConf": null
}
}
]
Original
$ podman commit myapp myimage
Getting image source signatures
Copying blob 759c4bc4ab9d skipped: already exists
Copying blob 238df6ed29fc skipped: already exists
Copying blob f6863edb4c9e skipped: already exists
Copying blob 6d6b0a5adbc3 done
Copying config c9eef31333 done
Writing manifest to image destination
Storing signatures
c9eef31333070489a02e988cbbab49490bc13b19226b38b892097d27560e8697
Check
$ podman stop myapp
myapp
$ podman commit myapp myimage
Getting image source signatures
Copying blob 7cd83e46b222 skipped: already exists
Copying blob d91cf39c6d91 skipped: already exists
Copying blob fc27e5fb1a0d skipped: already exists
Copying blob ee8bdd3d1660 done
Copying config 6ffad7a7f0 done
Writing manifest to image destination
Storing signatures
6ffad7a7f035a5c92cc68e53ad84f6e9fd0a3651b3d080d8cd8adf47f1aa74ca
Original
$ podman image tree myimage
Image ID: c9eef3133307
Tags: [localhost/myimage:latest]
Size: 452MB
Image Layers
├── ID: 759c4bc4ab9d Size: 214.1MB
├── ID: 8a6809ae6c60 Size: 58.81MB
├── ID: 5b2909540348 Size: 179MB Top Layer of: [registry.access.redhat.com/ubi8/httpd-24:latest]
└── ID: 96e59ab7bcbf Size: 44.03kB Top Layer of: [localhost/myimage:latest]
Check
$ podman image tree myimage
Image ID: 6ffad7a7f035
Tags: [localhost/myimage:latest]
Size: 483.3MB
Image Layers
├── ID: 7cd83e46b222 Size: 236.6MB
├── ID: 1071e9b050d5 Size: 62.2MB
├── ID: 8e7b45fa59d0 Size: 184.4MB Top Layer of: [registry.access.redhat.com/ubi8/httpd-24:latest]
└── ID: 912408b6c02a Size: 51.2kB Top Layer of: [localhost/myimage:latest]
Original
$ podman image diff myimage ubi8/httpd-24
C /opt
C /opt/app-root
C /opt/app-root/etc
A /opt/app-root/etc/passwd
C /var
C /var/log
C /var/log/httpd
A /var/log/httpd/modsec_audit.log
A /var/log/httpd/modsec_debug.log
…
Check
$ podman image diff myimage ubi8/httpd-24
C /etc
C /etc/group
C /etc/httpd
C /etc/httpd/conf.d
C /etc/httpd/conf.d/ssl.conf
C /etc/httpd/tls
A /etc/httpd/tls/dhparams.pem
A /etc/httpd/tls/localhost.crt
A /etc/httpd/tls/localhost.key
C /etc/httpd/conf
C /etc/httpd/conf/httpd.conf
C /opt
C /opt/app-root
C /opt/app-root/etc
A /opt/app-root/etc/passwd
C /var
C /var/log
C /var/log/httpd
A /var/log/httpd/modsec_audit.log
A /var/log/httpd/modsec_debug.log
C /var/www
C /var/www/html
A /var/www/html/index.html
- The order of the output is switched each time the command is executed.
Original
$ podman images
REPOSITORY localhost/myimage registry.access.redhat ➥.com/ubi8/httpd-24 registry.access.redhat ➥.com/ubi8
TAG IMAGE ID CREATED SIZE
latest 2c7e43d88038 46 hours ago 462 MB
latest 8594be0a0b57 5 weeks ago 462 MB
latest ad42391b9b46 5 weeks ago 234 MB
Check
Original
$ podman search registry.access.redhat.com/httpd
NAME DESCRIPTION
registry.access.redhat.com/rhscl/httpd-24-rhel7 Apache HTTP 2.4 Server
registry.access.redhat.com/ubi8/httpd-24 Platform for running Apache httpd 2.4 or bui...
registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd CloudForms is a management and automation pl...
registry.access.redhat.com/cloudforms46/cfme-openshift-httpd Web Server image for a multi-pod Red Hat® C...
…
Check
# podman search registry.access.redhat.com/httpd
NAME DESCRIPTION
registry.access.redhat.com/rhscl/httpd-24-rhel7 Apache HTTP 2.4 Server
registry.access.redhat.com/ubi8/httpd-24 Platform for running Apache httpd 2.4 or bui...
registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd CloudForms is a management and automation pl...
registry.access.redhat.com/ubi9/httpd-24 rhcc_registry.access.redhat.com_ubi9/httpd-2...
registry.access.redhat.com/cloudforms46/cfme-openshift-httpd Web Server image for a multi-pod Red Hat® C...
registry.access.redhat.com/rhmap43/httpd Provides an extension to the RHSCL Httpd Doc...
registry.access.redhat.com/rhmap47/httpd Provides an extension to the RHSCL Httpd ima...
registry.access.redhat.com/rhmap45/httpd Provides an extension to the RHSCL Httpd ima...
registry.access.redhat.com/rhmap44/httpd Provides an extension to the RHSCL Httpd Doc...
registry.access.redhat.com/rhmap42/httpd Provides an extension to the RHSCL Httpd Doc...
registry.access.redhat.com/rhmap46/httpd Provides an extension to the RHSCL Httpd ima...
registry.access.redhat.com/cloudforms47/cfme-openshift-httpd CloudForms 4.7 APP image for OpenShift
registry.access.redhat.com/rhscl/varnish-4-rhel7 Varnish 4 high-performance HTTP accelerator
registry.access.redhat.com/openshift3/ose-egress-http-proxy This is the egress router HTTP proxy for Ope...
registry.access.redhat.com/rhscl/varnish-6-rhel7 Varnish available as container is a base pla...
registry.access.redhat.com/rhscl/varnish-5-rhel7 Varnish available as container is a base pla...
registry.access.redhat.com/openshift3/prometheus-alert-buffer A small server that saves incoming webhook J...
registry.access.redhat.com/openshift3/ose-f5-router The F5 router plug-in integrates with an exi...
registry.access.redhat.com/openshift3/ose-haproxy-router Default router implementation for OpenShift...
registry.access.redhat.com/cloudforms46/cfme-httpd-configmap-generator External Authentication configuration mappin...
registry.access.redhat.com/cloudforms47/cfme-httpd-configmap-generator CloudForms 4.7 APP image for OpenShift
registry.access.redhat.com/cloudforms46-beta/cfme-httpd-configmap-generator CloudForms is a management and automation pl...
registry.access.redhat.com/rhscl/s2i-core-rhel7 The s2i core container image serves as a bas...
registry.access.redhat.com/rhscl/nginx-112-rhel7 Nginx is a web server and a reverse proxy se...
registry.access.redhat.com/cloudforms46/cfme-openshift-app Red Hat® CloudForms Appliance image to be u...
Original
$ podman mount quay.io/rhatdan/myimage
Error: cannot run command "podman mount" in rootless mode, must execute `podman unshare` first
Check
$ podman mount quay.io/rhatdan/myimage
Error: cannot run command "podman mount" in rootless mode, must execute `podman unshare` first
Original
# podman image unmount quay.io/rhatdan/myimage
# exit
Check
# podman image unmount quay.io/rhatdan/myimage
2c7e43d880382561ebae3fa06c7a1442d0da2912786d09ea9baaef87f73c29ae
# exit
exit
Original
$ mkdir myapp
$ cat > myapp/index.html << _EOF
<html>
<head>
</head>
<body>
<h1>Hello World</h1>
</body>
</html>
_EOF
$ cat > myapp/Containerfile << _EOF
FROM ubi8/httpd-24
COPY index.html /var/www/html/index.html
_EOF
$ podman build -t quay.io/rhatdan/myimage ./myapp
STEP 1/2: FROM ubi8/httpd-24
STEP 2/2: COPY index.html /var/www/html/index.html
COMMIT quay.io/rhatdan/myimage
--> f81b8ace4f1
Successfully tagged quay.io/rhatdan/myimage:latest
F81b8ace4f134d08cedb20a9156ae727444ae4d4ec1ceb3b12d3aff23d18128b
$ cat > myapp/automate.sh << _EOF
#!/bin/bash
podman build -t quay.io/rhatdan/myimage ./myapp
podman push quay.io/rhatdan/myimage
_EOF
$ chmod +x myapp/automate.sh
Check
$ mkdir myapp
$ cat > myapp/index.html << _EOF
<html>
<head>
</head>
<body>
<h1>Hello World</h1>
</body>
</html>
_EOF
$ cat > myapp/Containerfile << _EOF
FROM ubi8/httpd-24
COPY index.html /var/www/html/index.html
_EOF
$ podman build -t quay.io/rhatdan/myimage ./myapp
STEP 1/2: FROM ubi8/httpd-24
STEP 2/2: COPY index.html /var/www/html/index.html
COMMIT quay.io/rhatdan/myimage
--> e6d5b64b508c
Successfully tagged quay.io/rhatdan/myimage:latest
e6d5b64b508c3a9b3495a354b3f2a653d7d8852e4d62322b570a5f762fd1c843
$ cat > myapp/automate.sh << _EOF
#!/bin/bash
podman build -t quay.io/rhatdan/myimage ./myapp
podman push quay.io/rhatdan/myimage
_EOF
$ chmod +x myapp/automate.sh
$ ls -l myapp/
total 12
-rwxr-xr-x. 1 user user 96 Jun 14 04:19 automate.sh
-rw-r--r--. 1 user user 60 Jun 14 04:01 Containerfile
-rw-r--r--. 1 user user 71 Jun 14 04:01 index.html
Original
$ mkdir html
$ cat > html/index.html << _EOF
<html>
<head>
</head>
<body>
<h1>Goodbye World</h1>
</body>
</html>
_EOF
$ podman run -d -v ./html:/var/www/html:ro,z -p 8080:8080 quay.io/rhatdan/myimage
94c21a3d8fda740857abc571469aaaa181f4db27a464ceb6743c4a37fb875772
Check
$ mkdir html
$ cat > html/index.html << _EOF
<html>
<head>
</head>
<body>
<h1>Goodbye World</h1>
</body>
</html>
_EOF
$ podman run -d -v ./html:/var/www/html:ro,z -p 8080:8080 quay.io/rhatdan/myimage
b7b5d50626bd36f30dc50f1bf19fb847350b1357fac5b56edab52e5b15afd723
Original
$ podman rm --latest --force
Check
$ podman rm --latest --force
b7b5d50626bd36f30dc50f1bf19fb847350b1357fac5b56edab52e5b15afd723
Original
$ podman volume create webdata
Check
$ podman volume create webdata
webdata
Original
$ podman volume inspect webdata
[
{
"Name": "webdata",
"Driver": "local",
"Mountpoint":
➥"/home/dwalsh/.local/share/containers/storage/volumes/webdata/_data",
"CreatedAt": "2021-10-11T14:10:48.741367132-04:00",
"Labels": {},
"Scope": "local",
"Options": {}
}
]
Check
$ podman volume inspect webdata
[
{
"Name": "webdata",
"Driver": "local",
"Mountpoint": "/home/user/.local/share/containers/storage/volumes/webdata/_data",
"CreatedAt": "2023-06-14T07:31:06.550113446+09:00",
"Labels": {},
"Scope": "local",
"Options": {},
"MountCount": 0,
"NeedsCopyUp": true,
"NeedsChown": true
}
]
Original
$ cat > /home/dwalsh/.local/share/containers/storage/volumes/web- data/_data/index.html << _EOL
<html>
<head>
</head>
<body>
<h1>Goodbye World</h1>
</body>
</html> _EOL
Check
$ cat > /home/user/.local/share/containers/storage/volumes/webdata/_data/index.html << _EOL
<html>
<head>
</head>
<body>
<h1>Goodbye World</h1>
</body>
</html>
_EOL
Original
podman run -d -v webdata:/var/www/html:ro,z -p 8080:8080 quay.io/rhatdan/myimage
0c8eb612831f8fe22438d73d801e5bb664ec3b1d524c5c10759ee0049061cb6b
Check
$ podman run -d -v webdata:/var/www/html:ro,z -p 8080:8080 quay.io/rhatdan/myimage
8a156f8a57e4a20c11d31c3149ae849bfd53d13fb1bcdfcf8fc7b4eb55b6e47a
$ curl localhost:8080
<html>
<head>
</head>
<body>
<h1>Goodbye World</h1>
</body>
</html>
Original
podman stop -t 0 0c8eb61283
Check
$ podman stop -t 0 8a156f8a57e4
8a156f8a57e4
Original
$ podman volume rm --force webdata
Check
$ podman volume rm --force webdata
webdata
Original
$ podman volume list
Check
$ podman volume list
Original
$ podman run -d -v webdata1:/var/www/html:ro,z -p 8080:8080\
➥ quay.io/rhatdan/myimage 58ccaf37958496322e34cd933cd4dd5a61ab06c5ba678beb28fdc29cfb81f407
$ podman volume list
DRIVER VOLUME NAME
local webdata1
Check
$ podman run -d -v webdata1:/var/www/html:ro,z -p 8080:8080 quay.io/rhatdan/myimage
78f6d245c6a386591a52137168a874c57f7d1a08bafff422a6021f36489aa86f
$ podman volume list
DRIVER VOLUME NAME
local webdata1
Original
$ podman volume rm --force webdata1
Check
$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
78f6d245c6a3 quay.io/rhatdan/myimage:latest /usr/bin/run-http... 32 minutes ago Up 32 minutes 0.0.0.0:8080->8080/tcp quirky_brown
$ podman volume rm --force webdata1
webdata1
$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
Original
$ podman run -d -v ./html:/var/www/html:ro,z -p 8080:8080 quay.io/rhatdan/myimage
Check
$ podman run -d -v ./html:/var/www/html:ro,z -p 8080:8080 quay.io/rhatdan/myimage
Error: lstat html: no such file or directory
Original
$ podman unshare cat /proc/self/uid_map
0 3267 1
1 100000 65536
Check
$ podman unshare cat /proc/self/uid_map
0 1000 1
1 524288 65536
Original
$ podman unshare chown 60:60 ./html
$ podman run docker.io/mariadb grep mysql /etc/passwd
mysql:x:999:999::/home/mysql:/bin/sh
Check
$ podman unshare chown 60:60 ./html
$ podman run docker.io/mariadb grep mysql /etc/passwd
Trying to pull docker.io/library/mariadb:latest...
Getting image source signatures
Copying blob 1ecbfd4a00bd done
Copying blob 6c7698a779f6 done
Copying blob dd40ffbb6cb3 done
Copying blob c3beef926275 done
Copying blob 31691bc52e3b done
Copying blob 0b4de91620aa done
Copying blob 91656c5c74a8 done
Copying blob fbc99aa6f426 done
Copying config a907bf7d29 done
Writing manifest to image destination
Storing signatures
mysql:x:999:999::/home/mysql:/bin/sh
$ podman run docker.io/mariadb grep mysql /etc/passwd
mysql:x:999:999::/home/mysql:/bin/sh
Original
$ mkdir mariadb
$ ls -ld mariadb/
drwxrwxr-x. 1 dwalsh dwalsh 0 Oct 23 06:55 mariadb/
Check
$ mkdir mariadb
$ ls -ld mariadb/
drwxr-xr-x. 2 user user 6 Jun 14 10:23 mariadb/
Original
$ podman run --user mysql -v ./mariadb:/var/lib/mariadb:U \
➥ docker.io/mariadb ls -ld /var/lib/mariadb
drwxrwxr-x. 1 mysql mysql 0 Oct 23 10:55 /var/lib/mariadb
Check
$ podman run --user mysql -v ./mariadb:/var/lib/mariadb:U docker.io/mariadb ls -ld /var/lib/mariadb
drwxr-xr-x. 2 mysql mysql 6 Jun 14 01:23 /var/lib/mariadb
Original
$ ls -ld mariadb/
drwxrwxr-x. 1 100998 100998 0 Oct 23 06:55 mariadb/
Check
$ ls -ld mariadb/
drwxr-xr-x. 2 525286 525286 6 Jun 14 10:23 mariadb/
Original
$ podman run --security-opt label=disable -v /home/dwalsh:/home/dwalsh -p\
➥ 8080:8080 quay.io/rhatdan/myimage
Check
$ podman run --security-opt label=disable -v /home/user:/home/user -p 8080:8080 quay.io/rhatdan/myimage
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
---> Generating SSL key pair for httpd...
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.0.2.100. Set the 'ServerName' directive globally to suppress this message
[Wed Jun 14 01:31:00.844532 2023] [ssl:warn] [pid 1:tid 281473250611216] AH01909: 10.0.2.100:8443:0 server certificate does NOT include an ID which matches the server name
[Wed Jun 14 01:31:00.844657 2023] [:notice] [pid 1:tid 281473250611216] ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/) configured.
[Wed Jun 14 01:31:00.844659 2023] [:notice] [pid 1:tid 281473250611216] ModSecurity: APR compiled version="1.6.3"; loaded version="1.6.3"
[Wed Jun 14 01:31:00.844660 2023] [:notice] [pid 1:tid 281473250611216] ModSecurity: PCRE compiled version="8.42 "; loaded version="8.42 2018-03-20"
[Wed Jun 14 01:31:00.844676 2023] [:notice] [pid 1:tid 281473250611216] ModSecurity: LUA compiled version="Lua 5.3"
[Wed Jun 14 01:31:00.844677 2023] [:notice] [pid 1:tid 281473250611216] ModSecurity: YAJL compiled version="2.1.0"
[Wed Jun 14 01:31:00.844678 2023] [:notice] [pid 1:tid 281473250611216] ModSecurity: LIBXML compiled version="2.9.7"
[Wed Jun 14 01:31:00.844679 2023] [:notice] [pid 1:tid 281473250611216] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.0.2.100. Set the 'ServerName' directive globally to suppress this message
[Wed Jun 14 01:31:00.910988 2023] [ssl:warn] [pid 1:tid 281473250611216] AH01909: 10.0.2.100:8443:0 server certificate does NOT include an ID which matches the server name
[Wed Jun 14 01:31:00.911100 2023] [lbmethod_heartbeat:notice] [pid 1:tid 281473250611216] AH02282: No slotmem from mod_heartmonitor
[Wed Jun 14 01:31:00.914144 2023] [mpm_event:notice] [pid 1:tid 281473250611216] AH00489: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k configured -- resuming normal operations
[Wed Jun 14 01:31:00.914151 2023] [core:notice] [pid 1:tid 281473250611216] AH00094: Command line: 'httpd -D FOREGROUND'
Original
$ podman pod create -p 8080:8080 --name mypod --volume ./html:/var/www/html:z
Check
# mkdir html
# podman pod create -p 8080:8080 --name mypod --volume ./html:/var/www/html:z
58b0ceec1d525bf52d23fb04635c5b6b4f5b776577b7e1435b7443b98d84ebd8
# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
637d3f8730ce localhost/podman-pause:4.5.1-1685123899 3 seconds ago Created 0.0.0.0:8080->8080/tcp 58b0ceec1d52-infra
Original
$ podman create --pod mypod --name myapp quay.io/rhatdan/myimage Cec045acb1c2be4a6e4e88e21275076fb1de5519a25fb5a55f192da70708a640
Check
# podman create --pod mypod --name myapp quay.io/rhatdan/myimage
1d7f31678a502baf8dd4d767ba1d03fc46f20d2775392999f460bf3477e43a5c
Original
$ cat > html/time.sh << _EOL
#!/bin/sh
data() {
echo "<html><head></head><body><h1>"; date;echo "Hello World</h1></body></html>"
sleep 1
}
while true; do
data > index.html
done _EOL
Check
# cat > html/time.sh << _EOL
#!/bin/sh data() {
echo "<html><head></head><body><h1>"; date;echo "Hello World</h1></body></html>"
sleep 1 }
while true; do
data > index.html
done
_EOL
Original
$ chmod +x html/time.sh
Check
# chmod +x html/time.sh
Original
$ podman create --pod mypod --name time --workdir /var/www/html ubi8 ./time.sh
Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8:latest...
...
1be0b2fae53029d518e75def71c0d6961b662d0e8b4a1082edea5589d1353af3
Check
# podman create --pod mypod --name time --workdir /var/www/html ubi8 ./time.sh
Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob dc5bc235f26c done
Copying config 2ec437f86a done
Writing manifest to image destination
Storing signatures
3666c7bf82a4606214cfc50b9ddfb1154405b3762c9c2a976841b02f8fe7a658
Original
$ podman pod start mypod
790fefe97b280e5f67c526e3a421e9c9f958cf5a98f3709373ef1afd91965955
Check
# podman pod start mypod
13411f57c3f00b9ee1565e2a24b1c5d99e9440a26be83b950b345aa3258a29da
Original
podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b9536ea4a8ab localhost/podman-pause:4.0.3-1648837314 14minutes ago Up 5 seconds ago 0.0.0.0:8080->8080/tcp 8920b1ccd8b0-infra
a978e0005273 quay.io/rhatdan/myimage:latest /usr/bin/run-http... 14minutes ago Up 5 seconds ago 0.0.0.0:8080->8080/tcp myapp
be86937986e9 registry.access.redhat.com/ubi8:latest ./time.sh 13minutes ago Up 5 seconds ago 0.0.0.0:8080->8080/tcp time
Check
# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7992e6b879c7 localhost/podman-pause:4.5.1-1685123899 3 hours ago Up 3 hours 0.0.0.0:8080->8080/tcp 13411f57c3f0-infra
1cf0417a341c quay.io/rhatdan/myimage:latest /usr/bin/run-http... 3 hours ago Up 3 hours 0.0.0.0:8080->8080/tcp myapp
ab40b0755fce registry.access.redhat.com/ubi8:latest ./time.sh 3 hours ago Up 3 hours 0.0.0.0:8080->8080/tcp time
Original
$ podman pod stop mypod
790fefe97b280e5f67c526e3a421e9c9f958cf5a98f3709373ef1afd91965955
Check
# podman pod stop mypod
WARN[0010] StopSignal SIGTERM failed to stop container time in 10 seconds, resorting to SIGKILL
13411f57c3f00b9ee1565e2a24b1c5d99e9440a26be83b950b345aa3258a29da
Original
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
Check
# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
Original
$ podman pod list
POD ID NAME STATUS CREATED INFRA ID # OF CONTAINERS
790fefe97b28 mypod Exited 22 minutes ago b9536ea4a8ab 3
Check
# podman pod list
POD ID NAME STATUS CREATED INFRA ID # OF CONTAINERS
13411f57c3f0 mypod Exited 3 hours ago 7992e6b879c7 3
Original
$ podman ps --all --format "{{.ID}} {{.Image}} {{.Pod}}"
b9536ea4a8ab k8s.gcr.io/pause:3.5 790fefe97b28
a978e0005273 quay.io/rhatdan/myimage:latest 790fefe97b28
be86937986e9 registry.access.redhat.com/ubi8:latest 790fefe97b28
Check
# podman ps --all --format "{{.ID}} {{.Image}} {{.Pod}}"
7992e6b879c7 localhost/podman-pause:4.5.1-1685123899 13411f57c3f0
1cf0417a341c quay.io/rhatdan/myimage:latest 13411f57c3f0
ab40b0755fce registry.access.redhat.com/ubi8:latest 13411f57c3f0
Original
$ podman pod rm mypod
790fefe97b280e5f67c526e3a421e9c9f958cf5a98f3709373ef1afd91965955
$ podman pod ls
POD ID NAME STATUS CREATED INFRA ID # OF CONTAINERS
Check
# podman pod rm mypod
13411f57c3f00b9ee1565e2a24b1c5d99e9440a26be83b950b345aa3258a29da
# podman pod ls
POD ID NAME STATUS CREATED INFRA ID # OF CONTAINERS
Original
$ podman ps -a --format "{{.ID}} {{.Image}}"
Check
# podman ps -a --format "{{.ID}} {{.Image}}"
- no output
Original
$ podman info --format '{{ .Store.ConfigFile }}'
/home/dwalsh/.config/containers/storage.conf
Check
$ podman info --format '{{ .Store.ConfigFile }}'
/home/user/.config/containers/storage.conf
Original
$ sudo cp /usr/share/containers/storage.conf /etc/containers/storage.conf
$ sudo cp /etc/containers/storage.conf /etc/containers/storage.conf.orig
$ sudo vi /etc/containers/storage.conf
$ grep -B 1 graph /etc/containers/storage.conf
# Primary Read/Write location of container storage
graphroot = "/var/mystorage"
Check
$ grep -B 1 graph /etc/containers/storage.conf
# Primary Read/Write location of container storage
# When changing the graphroot location on an SELINUX system, you must
--
# restorecon -R -v /NEWSTORAGEPATH
graphroot = "/var/mystorage"
Original
$ sudo podman info
Check
$ sudo podman info
host:
arch: arm64
buildahVersion: 1.30.0
cgroupControllers:
- cpuset
- cpu
- io
- memory
- pids
- misc
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.7-2.fc38.aarch64
path: /usr/bin/conmon
version: 'conmon version 2.1.7, commit: '
cpuUtilization:
idlePercent: 99.08
systemPercent: 0.61
userPercent: 0.3
cpus: 2
databaseBackend: boltdb
distribution:
distribution: fedora
variant: server
version: "38"
eventLogger: journald
hostname: localhost.localdomain
idMappings:
gidmap: null
uidmap: null
kernel: 6.2.9-300.fc38.aarch64
linkmode: dynamic
logDriver: journald
memFree: 2877878272
memTotal: 4084940800
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.8.5-1.fc38.aarch64
path: /usr/bin/crun
version: |-
crun version 1.8.5
commit: b6f80f766c9a89eb7b1440c0a70ab287434b17ed
rundir: /run/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
remoteSocket:
path: /run/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-12.fc38.aarch64
version: |-
slirp4netns version 1.2.0
commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 4084199424
swapTotal: 4084199424
uptime: 3h 60m 39.00s (Approximately 0.12 days)
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
- quay.io
store:
configFile: /etc/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions:
overlay.mountopt: nodev,metacopy=on
graphRoot: /var/mystorage
graphRootAllocated: 6064963584
graphRootUsed: 4811177984
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "true"
imageCopyTmpDir: /var/tmp
imageStore:
number: 0
runRoot: /run/containers/storage
transientStore: false
volumePath: /var/mystorage/volumes
version:
APIVersion: 4.5.1
Built: 1685123899
BuiltTime: Sat May 27 02:58:19 2023
GitCommit: ""
GoVersion: go1.20.4
Os: linux
OsArch: linux/arm64
Version: 4.5.1
Original
$ podman info
store:
configFile: /home/dwalsh/.config/containers/storage.conf
containerStore:
number: 27
paused: 0
running: 0
stopped: 27
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/dwalsh/.local/share/containers/storage
Check
$ podman info
host:
arch: arm64
buildahVersion: 1.30.0
cgroupControllers:
- cpu
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.7-2.fc38.aarch64
path: /usr/bin/conmon
version: 'conmon version 2.1.7, commit: '
cpuUtilization:
idlePercent: 99.09
systemPercent: 0.61
userPercent: 0.3
cpus: 2
databaseBackend: boltdb
distribution:
distribution: fedora
variant: server
version: "38"
eventLogger: journald
hostname: localhost.localdomain
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
kernel: 6.2.9-300.fc38.aarch64
linkmode: dynamic
logDriver: journald
memFree: 2881298432
memTotal: 4084940800
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.8.5-1.fc38.aarch64
path: /usr/bin/crun
version: |-
crun version 1.8.5
commit: b6f80f766c9a89eb7b1440c0a70ab287434b17ed
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
remoteSocket:
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-12.fc38.aarch64
version: |-
slirp4netns version 1.2.0
commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 4084199424
swapTotal: 4084199424
uptime: 4h 2m 56.00s (Approximately 0.17 days)
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
- quay.io
store:
configFile: /home/user/.config/containers/storage.conf
containerStore:
number: 1
paused: 0
running: 0
stopped: 1
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/user/.local/share/containers/storage
graphRootAllocated: 6064963584
graphRootUsed: 4811128832
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 4
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/user/.local/share/containers/storage/volumes
version:
APIVersion: 4.5.1
Built: 1685123899
BuiltTime: Sat May 27 02:58:19 2023
GitCommit: ""
GoVersion: go1.20.4
Os: linux
OsArch: linux/arm64
Version: 4.5.1
Original
$ sudo vi /etc/containers/storage.conf
Check
$ sudo vi /etc/containers/storage.conf
Original
$ grep -B 3 rootless_storage_path /etc/containers/storage.conf
# Storage path for rootless users
#
rootless_storage_path = "/var/tmp/$UID/var/mystorage"
Check
$ grep -B 3 rootless_storage_path /etc/containers/storage.conf
# Storage path for rootless users
#
rootless_storage_path = "var/tmp/$UID/var/mystorage"
Original
$ podman info
... store:
configFile: /home/dwalsh/.config/containers/storage.conf
...
graphOptions: {}
graphRoot: /var/tmp/3267/var/mystorage
Check
$ podman info
host:
arch: arm64
buildahVersion: 1.30.0
cgroupControllers:
- cpu
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.7-2.fc38.aarch64
path: /usr/bin/conmon
version: 'conmon version 2.1.7, commit: '
cpuUtilization:
idlePercent: 99.11
systemPercent: 0.6
userPercent: 0.29
cpus: 2
databaseBackend: boltdb
distribution:
distribution: fedora
variant: server
version: "38"
eventLogger: journald
hostname: localhost.localdomain
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
kernel: 6.2.9-300.fc38.aarch64
linkmode: dynamic
logDriver: journald
memFree: 2881732608
memTotal: 4084940800
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.8.5-1.fc38.aarch64
path: /usr/bin/crun
version: |-
crun version 1.8.5
commit: b6f80f766c9a89eb7b1440c0a70ab287434b17ed
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
remoteSocket:
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-12.fc38.aarch64
version: |-
slirp4netns version 1.2.0
commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 4084199424
swapTotal: 4084199424
uptime: 4h 10m 53.00s (Approximately 0.17 days)
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
- quay.io
store:
configFile: /home/user/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /var/tmp/1000/var/mystorage
graphRootAllocated: 6064963584
graphRootUsed: 4811235328
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 0
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /var/tmp/1000/var/mystorage/volumes
version:
APIVersion: 4.5.1
Built: 1685123899
BuiltTime: Sat May 27 02:58:19 2023
GitCommit: ""
GoVersion: go1.20.4
Os: linux
OsArch: linux/arm64
Version: 4.5.1
Original
$ sudo cp /etc/containers/storage.conf.orig /etc/containers/storage.conf
Check
$ sudo cp /etc/containers/storage.conf.orig /etc/containers/storage.conf
Original
sudo semanage fcontext -a -e /var/lib/containers/storage /var/mystorage
sudo restorecon -R -v /var/mystorage
Check
$ sudo semanage fcontext -a -e /var/lib/containers/storage /var/mystorage
sudo restorecon -R -v /var/mystorage
Relabeled /var/mystorage from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_var_lib_t:s0
Relabeled /var/mystorage/libpod from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_var_lib_t:s0
Relabeled /var/mystorage/libpod/bolt_state.db from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_var_lib_t:s0
Relabeled /var/mystorage/overlay from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_ro_file_t:s0
Relabeled /var/mystorage/overlay/l from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_ro_file_t:s0
Relabeled /var/mystorage/overlay/.has-mount-program from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_ro_file_t:s0
Relabeled /var/mystorage/overlay/backingFsBlockDev from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_ro_file_t:s0
Relabeled /var/mystorage/storage.lock from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_var_lib_t:s0
Relabeled /var/mystorage/userns.lock from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_var_lib_t:s0
Relabeled /var/mystorage/overlay-images from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_ro_file_t:s0
Relabeled /var/mystorage/overlay-images/images.lock from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_ro_file_t:s0
Relabeled /var/mystorage/overlay-containers from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_var_lib_t:s0
Relabeled /var/mystorage/overlay-containers/containers.lock from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_var_lib_t:s0
Relabeled /var/mystorage/defaultNetworkBackend from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_var_lib_t:s0
Relabeled /var/mystorage/overlay-layers from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_ro_file_t:s0
Relabeled /var/mystorage/overlay-layers/layers.lock from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_ro_file_t:s0
Original
sudo semanage fcontext -a -e $HOME/.local/share/containers/storage/
➥ var/tmp/3267/var/mystorage
sudo restorecon -R -v /var/tmp/3267/var/mystorage
Check
sudo semanage fcontext -a -e $HOME/.local/share/containers/storage/var/tmp/3267/var/mystorage
Original
$ sudo cp /etc/containers/registries.conf
/etc/containers/registries.conf.orig
$ sudo vi /etc/containers/registries.conf
Check
sudo cp /etc/containers/registries.conf /etc/containers/registries.conf.orig
Original
$ podman info
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- example.com
- quay.io
Check
$ podman info
host:
arch: arm64
buildahVersion: 1.30.0
cgroupControllers:
- cpu
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.7-2.fc38.aarch64
path: /usr/bin/conmon
version: 'conmon version 2.1.7, commit: '
cpuUtilization:
idlePercent: 99.6
systemPercent: 0.29
userPercent: 0.11
cpus: 2
databaseBackend: boltdb
distribution:
distribution: fedora
variant: server
version: "38"
eventLogger: journald
hostname: localhost.localdomain
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
kernel: 6.2.9-300.fc38.aarch64
linkmode: dynamic
logDriver: journald
memFree: 3292725248
memTotal: 4084936704
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.8.5-1.fc38.aarch64
path: /usr/bin/crun
version: |-
crun version 1.8.5
commit: b6f80f766c9a89eb7b1440c0a70ab287434b17ed
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
remoteSocket:
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-12.fc38.aarch64
version: |-
slirp4netns version 1.2.0
commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 4084199424
swapTotal: 4084199424
uptime: 5h 40m 42.00s (Approximately 0.21 days)
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- example.com
- quay.io
store:
configFile: /home/user/.config/containers/storage.conf
containerStore:
number: 1
paused: 0
running: 0
stopped: 1
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/user/.local/share/containers/storage
graphRootAllocated: 6064963584
graphRootUsed: 4819132416
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 4
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/user/.local/share/containers/storage/volumes
version:
APIVersion: 4.5.1
Built: 1685123899
BuiltTime: Sat May 27 02:58:19 2023
GitCommit: ""
GoVersion: go1.20.4
Os: linux
OsArch: linux/arm64
Version: 4.5.1
Original
$ podman pull foobar
? Please select an image:
▸ registry.fedoraproject.org/foobar:latest
registry.access.redhat.com/foobar:latest
example.com/foobar:latest
quay.io/foobar:latest
Check
$ podman pull foobar
? Please select an image:
▸ registry.fedoraproject.org/foobar:latest
registry.access.redhat.com/foobar:latest
example.com/foobar:latest
quay.io/foobar:latest
Original
$ sudo cp /etc/containers/registries.conf.orig /etc/containers/registries.conf
Check
$ sudo cp /etc/containers/registries.conf.orig /etc/containers/registries.conf
Original
$ sudo vi /etc/containers/registries.conf
[[registry]]
Location = "docker.io"
blocked=true
Check
$ sudo vi /etc/containers/registries.conf
# # in order, and use the first one that exists.
short-name-mode="enforcing"
[[registry]]
Location = "docker.io"
blocked=true
Original
$ podman info
Check
$ podman info
host:
arch: arm64
buildahVersion: 1.30.0
cgroupControllers:
- cpu
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.7-2.fc38.aarch64
path: /usr/bin/conmon
version: 'conmon version 2.1.7, commit: '
cpuUtilization:
idlePercent: 99.6
systemPercent: 0.29
userPercent: 0.11
cpus: 2
databaseBackend: boltdb
distribution:
distribution: fedora
variant: server
version: "38"
eventLogger: journald
hostname: localhost.localdomain
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
kernel: 6.2.9-300.fc38.aarch64
linkmode: dynamic
logDriver: journald
memFree: 3308482560
memTotal: 4084936704
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.8.5-1.fc38.aarch64
path: /usr/bin/crun
version: |-
crun version 1.8.5
commit: b6f80f766c9a89eb7b1440c0a70ab287434b17ed
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
remoteSocket:
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-12.fc38.aarch64
version: |-
slirp4netns version 1.2.0
commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 4084199424
swapTotal: 4084199424
uptime: 5h 47m 44.00s (Approximately 0.21 days)
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
docker.io:
Blocked: true
Insecure: false
Location: docker.io
MirrorByDigestOnly: false
Mirrors: null
Prefix: docker.io
PullFromMirror: ""
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
- quay.io
store:
configFile: /home/user/.config/containers/storage.conf
containerStore:
number: 1
paused: 0
running: 0
stopped: 1
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/user/.local/share/containers/storage
graphRootAllocated: 6064963584
graphRootUsed: 4818935808
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 4
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/user/.local/share/containers/storage/volumes
version:
APIVersion: 4.5.1
Built: 1685123899
BuiltTime: Sat May 27 02:58:19 2023
GitCommit: ""
GoVersion: go1.20.4
Os: linux
OsArch: linux/arm64
Version: 4.5.1
Original
$ podman pull docker.io/ubuntu
Trying to pull docker.io/library/ubuntu:latest…
Error: initializing source docker://ubuntu:latest: registry docker.io is blocked in/etc/containers/registries.conf or /home/dwalsh/.config/containers/registries.conf.d
Check
$ podman pull docker.io/ubuntu
Trying to pull docker.io/library/ubuntu:latest...
Error: initializing source docker://ubuntu:latest: registry docker.io is blocked in /etc/containers/registries.conf or /home/user/.config/containers/registries.conf.d
Original
$ sudo cp /etc/containers/registries.conf.orig/
➥ etc/containers/registries.conf
Check
$ sudo cp /etc/containers/registries.conf.orig /etc/containers/registries.conf
Original
[[registry]]
location="registry.access.redhat.com"
[[registry.mirror]]
location="mirror-1.com"
Check
$ sudo vi /etc/containers/registries.conf
[[registry]]
location="registry.access.redhat.com"
[[registry.mirror]]
location="mirror-1.com"
Original
$ podman pull registry.access.redhat.com/ubi8/httpd-24:latest
Check
$ podman pull registry.access.redhat.com/ubi8/httpd-24:latest
- need closed network
Original
$ podman run --rm ubi8 printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
TERM=xterm
container=oci
HOME=/root
HOSTNAME=ba4acf180386
Check
$ podman run --rm ubi8 printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
TERM=xterm
container=oci
HOME=/root
HOSTNAME=b41abbe1f7f5
Original
$ mkdir -p $HOME/.config/containers/containers.conf.d
$ cat << _EOF > $HOME/.config/containers/containers.conf.d/env.conf [containers]
env=[ "foo=bar" ]
_EOF
Check
$ cat << _EOF > $HOME/.config/containers/containers.conf.d/env.conf
[containers]
env=[ "foo=bar" ]
_EOF
$ cat $HOME/.config/containers/containers.conf.d/env.conf
[containers]
env=[ "foo=bar" ]
Original
$ podman run --rm ubi8 printenv PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm
container=oci
foo=bar
HOME=/root
HOSTNAME=406fc182d44b
Check
$ podman run --rm ubi8 printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
TERM=xterm
container=oci
foo=bar
HOME=/root
HOSTNAME=998c5b3b95f9
Original
$ podman run quay.io/podman/stable cat /etc/containers/containers.conf
[containers]
netns="host"
userns="host"
ipcns="host"
utsns="host"
cgroupns="host"
cgroups="disabled"
log_driver = "k8s-file"
[engine]
cgroup_manager = "cgroupfs"
events_logger="file"
runtime="crun"
Check
$ podman run quay.io/podman/stable cat /etc/containers/containers.conf
[containers]
netns="host"
userns="host"
ipcns="host"
utsns="host"
cgroupns="host"
cgroups="disabled"
log_driver = "k8s-file"
[engine]
cgroup_manager = "cgroupfs"
events_logger="file"
runtime="crun"
Original
$ podman run --device /dev/fuse --user podman quay.io/podman/stable podman
➥ run ubi8-micro echo hi
Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/
➥ 000-shortnames.conf
Trying to pull registry.access.redhat.com/ubi8:latest…
Getting image source signatures
Copying blob sha256:5368f457acd16b337e2b150741f727c46f886c69eea
➥ 1a4d56d0114c88029ed87
…
hi
Check
$ podman run --device /dev/fuse --user podman quay.io/podman/stable podman run ubi8-micro echo hi
Resolved "ubi8-micro" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8-micro:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob sha256:3639f8815fcd86857e1ab7486e406dbb709aee81676ea94b2fe7a64f6b445d65
Copying config sha256:f57f74091bccd9f8c3617da5a4f6562924d00052be5366f79e510850e0b5303c
Writing manifest to image destination
Storing signatures
Error: crun: set propagation for `proc`: Permission denied: OCI permission denied
$ podman run --privileged --device /dev/fuse --user podman quay.io/podman/stable podman run ubi8-micro echo hi
Resolved "ubi8-micro" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8-micro:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob sha256:3639f8815fcd86857e1ab7486e406dbb709aee81676ea94b2fe7a64f6b445d65
Copying config sha256:f57f74091bccd9f8c3617da5a4f6562924d00052be5366f79e510850e0b5303c
Writing manifest to image destination
Storing signatures
hi
Original
$ podman rmi --all --force
Untagged: registry.access.redhat.com/ubi8/httpd-24:latest
Untagged: registry.access.redhat.com/ubi8-init:latest
Untagged: localhost/myimage:latest
Untagged: quay.io/rhatdan/myimage:latest
Deleted: d2244a4379d6f1981189d35154beaf4f9a17666ae3b9fba680ddb014eac72adc Deleted: 82eb390304938f16dd707f32abaa8464af8d4a25959ab342e25696a540ec56b5 Deleted: 8773554aad01d4b8443d979cdd509e7b8fa88ddbc966987fe91690d05614c961
Check
$ podman rmi --all --force
Original
$ podman run -d -p 8080:8080 --name myapp quay.io/rhatdan/myimage
Trying to pull quay.io/rhatdan/myimage:latest...
...
2f111737752dcbf1a1c7e15e807fb48f55362b67356fc10c2ade24964e99fa09
Check
$ podman run -d -p 8080:8080 --name myapp quay.io/rhatdan/myimage
Trying to pull quay.io/rhatdan/myimage:latest...
Getting image source signatures
Copying blob c7765172d3ce done
Copying blob e3460238f8a1 done
Copying blob dfd8c625d022 done
Copying blob 2b782a9ad894 done
Copying blob a1eadb69adf1 done
Copying config 2c7e43d880 done
Writing manifest to image destination
Storing signatures
f834d76b3639380c5060fb2e30be178646197cfe0e19f2182d278edb67b12be3
Original
$ podman run --user=root --rm quay.io/rhatdan/myimage -- bash -c "find /
➥ -mount -printf \"%U=%u\n\" | sort -un" 2>/dev/null
0=root
48=apache
1001=default
65534=nobody
Check
$ podman run --user=root --rm quay.io/rhatdan/myimage -- bash -c "find / -mount -printf \"%U=%u\n\" | sort -un" 2>/dev/null
0=root
48=apache
1001=default
65534=nobody
Original
$ cat /etc/subuid
dwalsh:100000:65536
Testuser:165536:65536
$ cat /etc/subgid
dwalsh:100000:65536
Testuser:165536:65536
Check
$ cat /etc/subuid
user:524288:65536
$ cat /etc/subgid
user:524288:65536
Original
$ cat /proc/self/uid_map
0 0 4294967295
Check
$ cat /proc/self/uid_map
0 0 4294967295
Original
$ podman unshare cat /proc/self/uid_map
0 3267 1
1 100000 65536
Check
$ podman unshare cat /proc/self/uid_map
0 1000 1
1 524288 65536
Original
$ ls -l -ld /
dr-xr-xr-x. 18 root root 242 Sep 21 22:32 /
Check
$ ls -l -ld /
dr-xr-xr-x. 18 root root 235 Apr 14 06:45 /
Original
$ podman unshare ls -ld /
dr-xr-xr-x. 18 nobody nobody 242 Sep 21 22:32 /
Check
$ podman unshare ls -ld /
dr-xr-xr-x. 18 nobody nobody 235 Apr 14 06:45 /
Original
$ podman unshare bash -c "id ; ls -l /etc/passwd; grep dwalsh
➥ /etc/passwd; touch /etc/passwd"
uid=0(root) gid=0(root) groups=0(root),65534(nobody) -rw-r--r--. 1 nobody nobody 2942 Sep 28 07:08 /etc/passwd dwalsh:x:3267:3267:Dan Walsh:/home/dwalsh:/bin/bash
touch: cannot touch '/etc/passwd': Permission denied
Check
$ podman unshare bash -c "id ; ls -l /etc/passwd; grep user /etc/passwd; touch /etc/passwd"
uid=0(root) gid=0(root) groups=0(root),65534(nobody) context=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023
-rw-r--r--. 1 nobody nobody 1976 Jun 14 02:38 /etc/passwd
chrony:x:997:996:chrony system user:/var/lib/chrony:/sbin/nologin
clevis:x:996:995:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/usr/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
user:x:1000:1000::/home/user:/bin/bash
touch: cannot touch '/etc/passwd': Permission denied
Original
$ ls -ld /home/dwalsh
drwx------. 365 dwalsh dwalsh 24576 Sep 28 07:30 /home/dwalsh
Check
$ ls -ld /home/user
drwx------. 8 user user 166 Jun 14 10:23 /home/user
Original
$ podman unshare ls -ld /home/dwalsh
drwx------. 365 root root 24576 Sep 28 07:30 /home/dwalsh
Check
$ podman unshare ls -ld /home/user
drwx------. 8 root root 166 Jun 14 10:23 /home/user
Original
$ podman unshare bash -c "mkdir test;touch test/testfile; chown -R 1:1 test"
Check
$ podman unshare bash -c "mkdir test;touch test/testfile; chown -R 1:1 test"
Original
$ ls -l test
total 0
-rw-r--r--. 1 100000 100000 0 Sep 28 07:53 testfile
Check
$ ls -l test
total 0
-rw-r--r--. 1 524288 524288 0 Jun 23 22:29 testfile
Original
$ rm -rf test
rm: cannot remove 'test/testfile': Permission denied
Check
$ rm -rf test
rm: cannot remove 'test/testfile': Permission denied
Original
$ podman unshare rm -rf test
Check
$ podman unshare rm -rf test
Original
$ ls -l /proc/self/ns/user /proc/self/ns/mnt
lrwxrwxrwx. 1 dwalsh dwalsh 0 Sep 28 09:17 /proc/self/ns/mnt ->
➥ 'mnt:[4026531840]'
lrwxrwxrwx. 1 dwalsh dwalsh 0 Sep 28 09:17 /proc/self/ns/user ->
➥ 'user:[4026531837]'
Check
$ ls -l /proc/self/ns/user /proc/self/ns/mnt
lrwxrwxrwx. 1 user user 0 Jun 23 22:38 /proc/self/ns/mnt -> 'mnt:[4026531841]'
lrwxrwxrwx. 1 user user 0 Jun 23 22:38 /proc/self/ns/user -> 'user:[4026531837]'
Original
$ podman unshare ls -l /proc/self/ns/user /proc/self/ns/mnt
lrwxrwxrwx. 1 root root 0 Sep 28 09:17 /proc/self/ns/mnt ->
➥ 'mnt:[4026533087]'
lrwxrwxrwx. 1 root root 0 Sep 28 09:17 /proc/self/ns/user ->
➥ 'user:[4026533086]'
Check
$ podman unshare ls -l /proc/self/ns/user /proc/self/ns/mnt
lrwxrwxrwx. 1 root root 0 Jun 23 22:39 /proc/self/ns/mnt -> 'mnt:[4026532340]'
lrwxrwxrwx. 1 root root 0 Jun 23 22:39 /proc/self/ns/user -> 'user:[4026532338]'
Original
$ echo hello > /tmp/testfile
$ mount --bind /tmp/testfile /etc/shadow
mount: only root can use "--bind" option
Check
$ echo hello > /tmp/testfile
$ mount --bind /tmp/testfile /etc/shadow
mount: /etc/shadow: must be superuser to use mount.
dmesg(1) may have more information after failed mount system call.
Original
$ podman unshare bash -c "mount -o bind /tmp/testfile /etc/shadow; cat
/etc/shadow"
hello
Check
$ podman unshare bash -c "mount -o bind /tmp/testfile /etc/shadow; cat /etc/shadow"
hello
Original
$ ps -e | grep podman
2541 ? 00:00:00 podman pause
Check
Original
$ podman run -d -p 8080:8080 --name myapp registry.access.redhat.com/ubi8/httpd-24
Check
$ podman run -d -p 8080:8080 --name myapp registry.access.redhat.com/ubi8/httpd-24
Trying to pull registry.access.redhat.com/ubi8/httpd-24:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob d636ba73ba9a done
Copying blob 51f05f29bd9f done
Copying blob a9e9689dc44b done
Copying config 1a6ac766fe done
Writing manifest to image destination
Storing signatures
6466fd114e9725d22257bde07b4d9787e00970a7f154e1a86e4c477d64a0c6e6
memo
$ podman run --rm --privileged quay.io/podman/stable:v4.1.0 podman info |grep networkBackend
networkBackend: netavark
$ podman run --rm --privileged quay.io/podman/stable:v3.4.7 podman info |grep networkBackend
$ podman run --rm --privileged quay.io/podman/stable:v3.4.7 podman network inspect podman
[
{
"cniVersion": "0.4.0",
"name": "podman",
"plugins": [
{
"bridge": "cni-podman0",
"hairpinMode": true,
"ipMasq": true,
"ipam": {
"ranges": [
[
{
"gateway": "10.88.0.1",
"subnet": "10.88.0.0/16"
}
]
],
"routes": [
{
"dst": "0.0.0.0/0"
}
],
"type": "host-local"
},
"isGateway": true,
"type": "bridge"
},
{
"capabilities": {
"portMappings": true
},
"type": "portmap"
},
{
"type": "firewall"
},
{
"type": "tuning"
}
]
}
]
$ podman run --rm --privileged quay.io/podman/stable:v4.1.0 podman network inspect podman
[
{
"name": "podman",
"id": "2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9",
"driver": "bridge",
"network_interface": "podman0",
"created": "2023-06-23T15:22:31.412809864Z",
"subnets": [
{
"subnet": "10.88.0.0/16",
"gateway": "10.88.0.1"
}
],
"ipv6_enabled": false,
"internal": false,
"dns_enabled": false,
"ipam_options": {
"driver": "host-local"
}
}
]
Original
$ podman run -d -p 8080:8080 --name myapp
registry.access.redhat.com/ubi8/httpd-24
Check
$ podman run -d -p 8080:8080 --name myapp registry.access.redhat.com/ubi8/httpd-24
Original
$ podman stop myapp
Check
$ podman stop myapp
myapp
Original
$ podman pull ubi8-init
Resolved "ubi8-init" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8-init:latest...
…
Storing signatures
2f84d44cfdc301040d69895f1e638034faa58881f4d0b77d4b8e791a859eda25
$ podman inspect ubi8-init --format '{{ .Config.Cmd }}'
[/sbin/init]
Check
$ podman pull ubi8-init
Resolved "ubi8-init" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8-init:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob a94348648fdb done
Copying blob dc5bc235f26c done
Copying config 7853751841 done
Writing manifest to image destination
Storing signatures
7853751841780843706c6a8814118218fc4f32bd72232e0a2b54cc49379af532
$ podman inspect ubi8-init --format '{{ .Config.Cmd }}'
[/sbin/init]
Original
$ podman create --rm --name SystemD -ti --systemd=always ubi8-init sh
fdc9cd062843f581ae26aace17be31c277706522f0f0d76c68935d6ddee656c2
Check
$ podman create --rm --name SystemD -ti --systemd=always ubi8-init sh
cdb879dd9ad9890e59e63352905b781f9adde9f8357148fafd1acb382d2284f7
Original
$ podman inspect SystemD --format '{{ .Config.StopSignal}}'
37
Check
$ podman inspect SystemD --format '{{ .Config.StopSignal}}'
37
Original
$ podman start --attach SystemD
sh-4.4# mount | grep -e /tmp -e /run | head -2
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,context="system_u:object_r:container_file_t:s0:c123,c887",uid=501,gid=1000,inode64)
tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,context="system_u:object_r:container_file_t:s0:c123,c887",uid=501,gid=1000,inode64)
sh-4.4# printenv container
oci
Check
$ podman start --attach SystemD
sh-4.4# mount | grep -e /tmp -e /run | head -2
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,context="system_u:object_r:container_file_t:s0:c103,c252",uid=1000,gid=1000,inode64)
tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,context="system_u:object_r:container_file_t:s0:c103,c252",uid=1000,gid=1000,inode64)
sh-4.4# printenv container
oci
Original
$ podman run -ti ubi8-init
systemd 239 (239-68.el8_7.4) running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy)
Detected virtualization container-other.
Detected architecture x86-64.
Welcome to Red Hat Enterprise Linux 8.7 (Ootpa)!
Set hostname to <6ea94426bd92>.
Initializing machine ID from container UUID.
[ OK ] Listening on Process Core Dump Socket.
[ OK ] Reached target Slices.
[ OK ] Reached target Local File Systems.
[ OK ] Started Forward Password Requests to Wall Directory Watch.
[ OK ] Reached target Remote File Systems.
[ OK ] Listening on initctl Compatibility Named Pipe.
[ OK ] Listening on Journal Socket (/dev/log).
[ OK ] Listening on Journal Socket.
…
Check
$ podman run -ti ubi8-init
systemd 239 (239-74.el8_8) running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy)
Detected virtualization container-other.
Detected architecture arm64.
Welcome to Red Hat Enterprise Linux 8.8 (Ootpa)!
Set hostname to <ae160f562942>.
Initializing machine ID from container UUID.
[ OK ] Started Dispatch Password Requests to Console Directory Watch.
[ OK ] Listening on Journal Socket.
[ OK ] Reached target Slices.
[ OK ] Started Forward Password Requests to Wall Directory Watch.
[ OK ] Reached target Network is Online.
[ OK ] Reached target Paths.
[ OK ] Reached target Remote File Systems.
[ OK ] Listening on initctl Compatibility Named Pipe.
-.slice: Failed to set memory.min: Operation not permitted
-.slice: Failed to set memory.low: Operation not permitted
-.slice: Failed to set memory.high: Operation not permitted
-.slice: Failed to set memory.max: Operation not permitted
-.slice: Failed to set memory.swap.max: Operation not permitted
-.slice: Failed to set pids.max: Operation not permitted
Starting Create System Users...
[ OK ] Listening on Process Core Dump Socket.
[ OK ] Reached target Local File Systems.
Starting Rebuild Journal Catalog...
[ OK ] Reached target Swap.
Starting Rebuild Dynamic Linker Cache...
[ OK ] Listening on Journal Socket (/dev/log).
Starting Journal Service...
[ OK ] Started Create System Users.
[ OK ] Started Rebuild Journal Catalog.
[ OK ] Started Journal Service.
Starting Flush Journal to Persistent Storage...
[ OK ] Started Rebuild Dynamic Linker Cache.
Starting Update is Completed...
[ OK ] Started Update is Completed.
[ OK ] Started Flush Journal to Persistent Storage.
Starting Create Volatile Files and Directories...
[ OK ] Started Create Volatile Files and Directories.
Starting Update UTMP about System Boot/Shutdown...
[ OK ] Started Update UTMP about System Boot/Shutdown.
[ OK ] Reached target System Initialization.
[ OK ] Started dnf makecache --timer.
[ OK ] Listening on D-Bus System Message Bus Socket.
[ OK ] Reached target Sockets.
[ OK ] Started Daily Cleanup of Temporary Directories.
[ OK ] Reached target Timers.
[ OK ] Reached target Basic System.
[ OK ] Started D-Bus System Message Bus.
Starting Permit User Sessions...
[ OK ] Started Permit User Sessions.
[ OK ] Reached target Multi-User System.
Starting Update UTMP about System Runlevel Changes...
[ OK ] Started Update UTMP about System Runlevel Changes.
^C
[ OK ] Stopped target Multi-User System.
Stopping Permit User Sessions...
Unmounting var-log-journal.mount...
[ OK ] Stopped target Timers.
[ OK ] Stopped dnf makecache --timer.
[ OK ] Stopped Daily Cleanup of Temporary Directories.
[ OK ] Stopped target Network is Online.
Stopping D-Bus System Message Bus...
[FAILED] Failed unmounting var-log-journal.mount.
[ OK ] Stopped Permit User Sessions.
[ OK ] Stopped target Remote File Systems.
[ OK ] Stopped D-Bus System Message Bus.
[ OK ] Stopped target Basic System.
[ OK ] Stopped target Slices.
[ OK ] Stopped target Sockets.
[ OK ] Stopped target Paths.
[ OK ] Stopped Forward Password Requests to Wall Directory Watch.
[ OK ] Stopped Dispatch Password Requests to Console Directory Watch.
[ OK ] Closed D-Bus System Message Bus Socket.
[ OK ] Stopped target System Initialization.
Stopping Update UTMP about System Boot/Shutdown...
[ OK ] Stopped Update is Completed.
[ OK ] Stopped Rebuild Journal Catalog.
[ OK ] Stopped Rebuild Dynamic Linker Cache.
[ OK ] Stopped Update UTMP about System Boot/Shutdown.
[ OK ] Stopped Create Volatile Files and Directories.
[ OK ] Stopped Create System Users.
[ OK ] Stopped target Local File Systems.
Unmounting /etc/hostname...
Unmounting /run/secrets...
Unmounting Temporary Directory (/tmp)...
Unmounting /run/.containerenv...
Unmounting /etc/hosts...
Unmounting /run/lock...
Unmounting /etc/resolv.conf...
[FAILED] Failed unmounting /etc/hostname.
[FAILED] Failed unmounting /etc/hosts.
[FAILED] Failed unmounting Temporary Directory (/tmp).
[FAILED] Failed unmounting /etc/resolv.conf.
[FAILED] Failed unmounting /run/lock.
[FAILED] Failed unmounting /run/.containerenv.
[FAILED] Failed unmounting /run/secrets.
[ OK ] Reached target Unmount All Filesystems.
[ OK ] Stopped target Swap.
[ OK ] Reached target Shutdown.
[ OK ] Reached target Final Step.
Starting Halt...
Original
$ mkdir /tmp/pia-systemd-httpd
$ cat << _EOF > /tmp/pia-systemd-httpd/Containerfile
FROM ubi8-init
RUN dnf -y install httpd; dnf -y clean all
RUN systemctl enable httpd.service
_EOF
Check
$ mkdir /tmp/pia-systemd-httpd
$ cat << _EOF > /tmp/pia-systemd-httpd/Containerfile
FROM ubi8-init
RUN dnf -y install httpd; dnf -y clean all
RUN systemctl enable httpd.service
_EOF
$ cat /tmp/pia-systemd-httpd/Containerfile
FROM ubi8-init
RUN dnf -y install httpd; dnf -y clean all
RUN systemctl enable httpd.service
Original
$ podman build -t my-systemd /tmp/pia-systemd-httpd/
STEP 1/3: FROM ubi8-init
STEP 2/3: RUN dnf -y install httpd; dnf -y clean all
Updating Subscription Management repositories.
Unable to read consumer identity
…
COMMIT my-systemd
--> Pushing cache []:d798a53f30c1ff76543f6b8d645aee0280f8a52a68c537c3d2d2745fadde5838
--> 111cca51e8f
Successfully tagged localhost/my-systemd:latest
111cca51e8f0fa5c7d9417f346951e82ec7f2963234fc54556288fa4fe1938f4
Check
$ podman build -t my-systemd /tmp/pia-systemd-httpd/
STEP 1/3: FROM ubi8-init
STEP 2/3: RUN dnf -y install httpd; dnf -y clean all
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Red Hat Universal Base Image 8 (RPMs) - BaseOS 217 kB/s | 611 kB 00:02
Red Hat Universal Base Image 8 (RPMs) - AppStre 784 kB/s | 3.0 MB 00:03
Red Hat Universal Base Image 8 (RPMs) - CodeRea 24 kB/s | 69 kB 00:02
Dependencies resolved.
====================================================================================================
Package Arch Version Repository Size
====================================================================================================
Installing:
httpd aarch64 2.4.37-56.module+el8.8.0+18758+b3a9c8da.6 ubi-8-appstream-rpms 1.4 M
Installing dependencies:
apr aarch64 1.6.3-12.el8 ubi-8-appstream-rpms 123 k
apr-util aarch64 1.6.1-6.el8_8.1 ubi-8-appstream-rpms 104 k
httpd-filesystem noarch 2.4.37-56.module+el8.8.0+18758+b3a9c8da.6 ubi-8-appstream-rpms 43 k
httpd-tools aarch64 2.4.37-56.module+el8.8.0+18758+b3a9c8da.6 ubi-8-appstream-rpms 109 k
mailcap noarch 2.1.48-3.el8 ubi-8-baseos-rpms 39 k
mod_http2 aarch64 1.15.7-8.module+el8.8.0+18751+b4557bca.3 ubi-8-appstream-rpms 147 k
redhat-logos-httpd noarch 84.5-1.el8 ubi-8-baseos-rpms 29 k
Installing weak dependencies:
apr-util-bdb aarch64 1.6.1-6.el8_8.1 ubi-8-appstream-rpms 25 k
apr-util-openssl aarch64 1.6.1-6.el8_8.1 ubi-8-appstream-rpms 27 k
Enabling module streams:
httpd 2.4
Transaction Summary
====================================================================================================
Install 10 Packages
Total download size: 2.0 M
Installed size: 10 M
Downloading Packages:
(1/10): mailcap-2.1.48-3.el8.noarch.rpm 32 kB/s | 39 kB 00:01
(2/10): redhat-logos-httpd-84.5-1.el8.noarch.rp 16 kB/s | 29 kB 00:01
(3/10): apr-1.6.3-12.el8.aarch64.rpm 50 kB/s | 123 kB 00:02
(4/10): httpd-2.4.37-56.module+el8.8.0+18758+b3 597 kB/s | 1.4 MB 00:02
(5/10): apr-util-1.6.1-6.el8_8.1.aarch64.rpm 77 kB/s | 104 kB 00:01
(6/10): httpd-tools-2.4.37-56.module+el8.8.0+18 43 kB/s | 109 kB 00:02
(7/10): apr-util-openssl-1.6.1-6.el8_8.1.aarch6 21 kB/s | 27 kB 00:01
(8/10): apr-util-bdb-1.6.1-6.el8_8.1.aarch64.rp 16 kB/s | 25 kB 00:01
(9/10): mod_http2-1.15.7-8.module+el8.8.0+18751 99 kB/s | 147 kB 00:01
(10/10): httpd-filesystem-2.4.37-56.module+el8. 21 kB/s | 43 kB 00:02
--------------------------------------------------------------------------------
Total 285 kB/s | 2.0 MB 00:07
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : apr-1.6.3-12.el8.aarch64 1/10
Running scriptlet: apr-1.6.3-12.el8.aarch64 1/10
Installing : apr-util-bdb-1.6.1-6.el8_8.1.aarch64 2/10
Installing : apr-util-openssl-1.6.1-6.el8_8.1.aarch64 3/10
Installing : apr-util-1.6.1-6.el8_8.1.aarch64 4/10
Running scriptlet: apr-util-1.6.1-6.el8_8.1.aarch64 4/10
Installing : httpd-tools-2.4.37-56.module+el8.8.0+18758+b3a9c8d 5/10
Running scriptlet: httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3 6/10
Installing : httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3 6/10
Installing : mailcap-2.1.48-3.el8.noarch 7/10
Installing : redhat-logos-httpd-84.5-1.el8.noarch 8/10
Installing : mod_http2-1.15.7-8.module+el8.8.0+18751+b4557bca.3 9/10
Installing : httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aa 10/10
Running scriptlet: httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aa 10/10
Verifying : redhat-logos-httpd-84.5-1.el8.noarch 1/10
Verifying : mailcap-2.1.48-3.el8.noarch 2/10
Verifying : apr-1.6.3-12.el8.aarch64 3/10
Verifying : httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aa 4/10
Verifying : httpd-tools-2.4.37-56.module+el8.8.0+18758+b3a9c8d 5/10
Verifying : apr-util-1.6.1-6.el8_8.1.aarch64 6/10
Verifying : apr-util-bdb-1.6.1-6.el8_8.1.aarch64 7/10
Verifying : apr-util-openssl-1.6.1-6.el8_8.1.aarch64 8/10
Verifying : mod_http2-1.15.7-8.module+el8.8.0+18751+b4557bca.3 9/10
Verifying : httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3 10/10
Installed products updated.
Installed:
apr-1.6.3-12.el8.aarch64
apr-util-1.6.1-6.el8_8.1.aarch64
apr-util-bdb-1.6.1-6.el8_8.1.aarch64
apr-util-openssl-1.6.1-6.el8_8.1.aarch64
httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64
httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.noarch
httpd-tools-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64
mailcap-2.1.48-3.el8.noarch
mod_http2-1.15.7-8.module+el8.8.0+18751+b4557bca.3.aarch64
redhat-logos-httpd-84.5-1.el8.noarch
Complete!
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
25 files removed
--> d99d21d07758
STEP 3/3: RUN systemctl enable httpd.service
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
COMMIT my-systemd
--> 4a7092a80d93
Successfully tagged localhost/my-systemd:latest
4a7092a80d93f28e8eff5b4adafc3950ac4f672fbf1906f2ba71c7a105af7049
Original
$ podman run -d --rm -p 8080:80 -v ./html:/var/www/html:Z my-systemd 7675617e5b8b63c4dc3c8db41089c6aad728294fd1fa042b6ffd9e1e80e2727e
Check
$ podman run -d --rm -p 8080:80 -v ./html:/var/www/html:Z my-systemd
a4b41d717f0d49820ba4a06923ee338a5e8d953ff936e1e75643c63f9e46b672
Original
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7675617e5b8b localhost/my-systemd:latest /sbin/init 11 minutes ago Up 11 minutes 0.0.0.0:8080->80/tcp sleepy_ganguly
$ podman logs 7675617e5b8b
$
Check
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e7a14f5ceb17 localhost/my-systemd:latest /sbin/init 2 minutes ago Up 2 minutes 0.0.0.0:8080->80/tcp pensive_aryabhata
$ podman logs a4b41d717f0d
$
Original
$ podman info --format '{{ .Host.LogDriver }}'
k8s-file
Check
$ podman run --rm --privileged quay.io/podman/stable podman info --format '{{ .Host.LogDriver }}'
k8s-file
- default is journald
- quay.io/podman/stable is k8s-file(because, in container)
Original
$ mkdir -p $HOME/.config/containers/containers.conf.d
$ cat > $HOME/.config/containers/containers.conf.d/log_driver.conf << _EOF
[containers]
log_driver="journald"
_EOF
$ podman info --format '{{ .Host.LogDriver }}'
journald
Check(replay in pinp)
$ podman run -d --privileged --user podman --name pinp quay.io/podman/stable sleep inf
c48be8cf54ae0f6d241c0ff736f8b52da3e72c79920be5d7d92344cf83cc877e
$ podman exec -it pinp bash
[podman@c48be8cf54ae /]$ podman info --format '{{ .Host.LogDriver }}'
k8s-file
[podman@c48be8cf54ae /]$ mkdir -p $HOME/.config/containers/containers.conf.d
[podman@c48be8cf54ae /]$ cat > $HOME/.config/containers/containers.conf.d/log_driver.conf << _EOF
[containers]
log_driver="journald"
_EOF
[podman@c48be8cf54ae /]$ podman info --format '{{ .Host.LogDriver }}'
journald
Original
$ podman run --rm --name test2 ubi8 echo "Check if logs persist"
Check if logs persist
Check
$ podman run --rm --name test2 ubi8 echo "Check if logs persist"
Check if logs persist
Original
$ journalctl -b | grep "Check if logs persist"
May 05 21:53:05 localhost.localdomain test2[1156]: Check if logs persist
Check
$ journalctl -b | grep "Check if logs persist"
Jun 24 05:58:55 localhost.localdomain test2[8450]: Check if logs persist
Original
$ podman events --filter event=start --since 1h
2023-05-05 21:53:05.746461864 +0900 JST container start f3f51e374f2321a864a7a608c0a2ecd0a6ceaba5c7592012af28b96f98eaf7a4
...
Check
$ podman events --filter event=start --since 1h
2023-06-24 05:36:19.542111276 +0900 JST container start e969c933d09447ce6dcd5871f0232a00ec2a665292817c233743f863bab75747 (image=quay.io/podman/stable:latest, name=gifted_pare, org.opencontainers.image.version=4.5.1, vendor=Fedora Project, version=38, io.buildah.version=1.30.0, license=MIT, name=fedora, org.opencontainers.image.created=2023-06-23T18:20:33+00:00, org.opencontainers.image.source=https://github.com/containers/podman.git)
Original
$ podman info --format '{{ .Host.EventLogger }}'
journald
Check
$ podman info --format '{{ .Host.EventLogger }}'
journald
Original
$ podman create -p 8080:8080 --name myapp quay.io/rhatdan/myimage
...
e6e128dad674c377001d957f5829e665c0287d487dc79c049647c972047a9e16
Check
$ podman create -p 8080:8080 --name myapp quay.io/rhatdan/myimage
Trying to pull quay.io/rhatdan/myimage:latest...
Getting image source signatures
Copying blob e3460238f8a1 done
Copying blob c7765172d3ce done
Copying blob 2b782a9ad894 done
Copying blob dfd8c625d022 done
Copying blob a1eadb69adf1 done
Copying config 2c7e43d880 done
Writing manifest to image destination
Storing signatures
WARNING: image platform (linux/amd64) does not match the expected platform (linux/arm64)
c351749f81ec39ab7c1ff13d7241d030e3e4f50627d1f146d1997ed45784dcf9
Original
$ mkdir -p $HOME/.config/systemd/user
$ podman generate systemd myapp > $HOME/.config/systemd/user/myapp.service
Check
$ mkdir -p $HOME/.config/systemd/user
$ podman generate systemd myapp > $HOME/.config/systemd/user/myapp.service
Original
$ cat $HOME/.config/systemd/user/myapp.service
# container-e6e128dad674....service
# autogenerated by Podman 4.5.0
# Sun May 7 15:15:29 JST 2023
[Unit]
Description=Podman container-e6e128dad674....service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=/run/user/501/containers
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman start e6e128dad674...
ExecStop=/usr/bin/podman stop \
-t 10 e6e128dad674...
ExecStopPost=/usr/bin/podman stop \
-t 10 e6e128dad674...
PIDFile=/run/user/501/containers/overlay-containers/e6e128dad674.../userdata/conmon.pid
Type=forking
[Install]
WantedBy=default.target
Check
$ cat $HOME/.config/systemd/user/myapp.service
# container-c351749f81ec39ab7c1ff13d7241d030e3e4f50627d1f146d1997ed45784dcf9.service
# autogenerated by Podman 4.5.1
# Sat Jun 24 06:01:44 JST 2023
[Unit]
Description=Podman container-c351749f81ec39ab7c1ff13d7241d030e3e4f50627d1f146d1997ed45784dcf9.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=/run/user/1000/containers
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman start c351749f81ec39ab7c1ff13d7241d030e3e4f50627d1f146d1997ed45784dcf9
ExecStop=/usr/bin/podman stop \
-t 10 c351749f81ec39ab7c1ff13d7241d030e3e4f50627d1f146d1997ed45784dcf9
ExecStopPost=/usr/bin/podman stop \
-t 10 c351749f81ec39ab7c1ff13d7241d030e3e4f50627d1f146d1997ed45784dcf9
PIDFile=/run/user/1000/containers/overlay-containers/c351749f81ec39ab7c1ff13d7241d030e3e4f50627d1f146d1997ed45784dcf9/userdata/conmon.pid
Type=forking
[Install]
WantedBy=default.target
Original
$ systemctl --user daemon-reload
$ systemctl --user start myapp
$ systemctl --user status myapp
● myapp.service - Podman container-e6e128dad674....service
Loaded: loaded (/var/home/core/.config/systemd/user/myapp.service; disabled; preset: disabled)
Drop-In: /usr/lib/systemd/user/service.d
└─10-timeout-abort.conf
Active: active (running) since Sun 2023-05-07 15:34:34 JST; 1min 48s ago
...
Check(Stop my-systemd run in ## 7.1.3)
$ podman stop a4b41d717f0d
a4b41d717f0d
$ systemctl --user daemon-reload
$ systemctl --user start myapp
$ systemctl --user status myapp
● myapp.service - Podman container-d9b508f50b5d4c49d66d14dd8ebbaf6e5324b60fe616b871ab929e174647da7a.service
Loaded: loaded (/home/user/.config/systemd/user/myapp.service; disabled; preset: disabled)
Drop-In: /usr/lib/systemd/user/service.d
└─10-timeout-abort.conf
Active: active (running) since Sat 2023-06-24 06:21:16 JST; 5s ago
Docs: man:podman-generate-systemd(1)
Process: 12369 ExecStart=/usr/bin/podman start d9b508f50b5d4c49d66d14dd8ebbaf6e5324b60fe616b871ab929e174647da7a (code=exited, status=0/SUCCESS)
Main PID: 12396 (conmon)
Tasks: 15 (limit: 4548)
Memory: 4.5M
CPU: 74ms
CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/myapp.service
├─12380 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp --enable-ipv6 -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/netns-ab588e30-d5f6-01f8-1581-ed7fb90351df tap0
├─12382 rootlessport
├─12388 rootlessport-child
└─12396 /usr/bin/conmon --api-version 1 -c d9b508f50b5d4c49d66d14dd8ebbaf6e5324b60fe616b871ab929e174647da7a -u d9b508f50b5d4c49d66d14dd8ebbaf6e5324b60fe616b871ab929e174647da7a -r /usr/bin/crun -b /home/user/.local/share/containers/storage/overlay-containers/>
Jun 24 06:21:17 localhost.localdomain myapp[12396]: [Fri Jun 23 21:21:17.386678 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: PCRE compiled version="8.42 "; loaded version="8.42 2018-03-20"
Jun 24 06:21:17 localhost.localdomain myapp[12396]: [Fri Jun 23 21:21:17.386799 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: LUA compiled version="Lua 5.3"
Jun 24 06:21:17 localhost.localdomain myapp[12396]: [Fri Jun 23 21:21:17.386870 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: YAJL compiled version="2.1.0"
Jun 24 06:21:17 localhost.localdomain myapp[12396]: [Fri Jun 23 21:21:17.386946 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: LIBXML compiled version="2.9.7"
Jun 24 06:21:17 localhost.localdomain myapp[12396]: [Fri Jun 23 21:21:17.387016 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
Jun 24 06:21:17 localhost.localdomain myapp[12396]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.0.2.100. Set the 'ServerName' directive globally to suppress this message
Jun 24 06:21:17 localhost.localdomain myapp[12396]: [Fri Jun 23 21:21:17.581379 2023] [ssl:warn] [pid 1:tid 274978919680] AH01909: 10.0.2.100:8443:0 server certificate does NOT include an ID which matches the server name
Jun 24 06:21:17 localhost.localdomain myapp[12396]: [Fri Jun 23 21:21:17.585814 2023] [lbmethod_heartbeat:notice] [pid 1:tid 274978919680] AH02282: No slotmem from mod_heartmonitor
Jun 24 06:21:17 localhost.localdomain myapp[12396]: [Fri Jun 23 21:21:17.610200 2023] [mpm_event:notice] [pid 1:tid 274978919680] AH00489: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1g configured -- resuming normal operations
Jun 24 06:21:17 localhost.localdomain myapp[12396]: [Fri Jun 23 21:21:17.610709 2023] [core:notice] [pid 1:tid 274978919680] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
Original
$ systemctl --user stop myapp
Check
$ systemctl --user stop myapp
Original
$ podman generate systemd --new myapp > $HOME/.config/systemd/user/myapp-new.service
Check
$ podman generate systemd --new myapp > $HOME/.config/systemd/user/myapp-new.service
Original
$ cat $HOME/.config/systemd/user/myapp-new.service
# container-e6e128dad674....service
# autogenerated by Podman 4.5.0
# Sun May 7 15:44:01 JST 2023
[Unit]
Description=Podman container-e6e128dad674....service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman run \
--cidfile=%t/%n.ctr-id \
--cgroups=no-conmon \
--rm \
--sdnotify=conmon \
-d \
--replace \
-p 8080:8080 \
--name myapp quay.io/rhatdan/myimage
ExecStop=/usr/bin/podman stop \
--ignore -t 10 \
--cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm \
-f \
--ignore -t 10 \
--cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all
[Install]
WantedBy=default.target
Check
$ cat $HOME/.config/systemd/user/myapp-new.service
# container-d9b508f50b5d4c49d66d14dd8ebbaf6e5324b60fe616b871ab929e174647da7a.service
# autogenerated by Podman 4.5.1
# Sat Jun 24 06:25:10 JST 2023
[Unit]
Description=Podman container-d9b508f50b5d4c49d66d14dd8ebbaf6e5324b60fe616b871ab929e174647da7a.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman run \
--cidfile=%t/%n.ctr-id \
--cgroups=no-conmon \
--rm \
--sdnotify=conmon \
-d \
--replace \
-p 8080:8080 \
--name myapp quay.io/rhatdan/myimage
ExecStop=/usr/bin/podman stop \
--ignore -t 10 \
--cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm \
-f \
--ignore -t 10 \
--cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all
[Install]
WantedBy=default.target
Check(verify)
$ systemctl --user stop myapp.service
$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d9b508f50b5d quay.io/rhatdan/myimage:latest /usr/bin/run-http... 8 minutes ago Exited (0) 30 seconds ago 0.0.0.0:8080->8080/tcp myapp
$ systemctl --user start myapp-new.service
$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ccbd6d6f4b31 quay.io/rhatdan/myimage:latest /usr/bin/run-http... 17 seconds ago Up 17 seconds 0.0.0.0:8080->8080/tcp myapp
$ podman rm -f -t 0 myapp
myapp
[user@localhost ~]$ systemctl --user status myapp-new.service
● myapp-new.service - Podman container-d9b508f50b5d4c49d66d14dd8ebbaf6e5324b60fe616b871ab929e174647da7a.service
Loaded: loaded (/home/user/.config/systemd/user/myapp-new.service; disabled; preset: disabled)
Drop-In: /usr/lib/systemd/user/service.d
└─10-timeout-abort.conf
Active: active (running) since Sat 2023-06-24 06:30:32 JST; 9s ago
Docs: man:podman-generate-systemd(1)
Main PID: 13372 (conmon)
Tasks: 15 (limit: 4548)
Memory: 4.5M
CPU: 83ms
CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/myapp-new.service
├─13356 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp --enable-ipv6 -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/netns-e96993f8-fc48-7435-18d6-108610bd098b tap0
├─13358 rootlessport
├─13363 rootlessport-child
└─13372 /usr/bin/conmon --api-version 1 -c da0ca6eb2d156713d374d0cf5878416e4d9da1d4b773a252ed52ffbb12b7e13d -u da0ca6eb2d156713d374d0cf5878416e4d9da1d4b773a252ed52ffbb12b7e13d -r /usr/bin/crun -b /home/user/.local/share/containers/storage/overlay-containers/>
Jun 24 06:30:33 localhost.localdomain myapp[13372]: [Fri Jun 23 21:30:33.033072 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: PCRE compiled version="8.42 "; loaded version="8.42 2018-03-20"
Jun 24 06:30:33 localhost.localdomain myapp[13372]: [Fri Jun 23 21:30:33.033165 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: LUA compiled version="Lua 5.3"
Jun 24 06:30:33 localhost.localdomain myapp[13372]: [Fri Jun 23 21:30:33.033204 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: YAJL compiled version="2.1.0"
Jun 24 06:30:33 localhost.localdomain myapp[13372]: [Fri Jun 23 21:30:33.033254 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: LIBXML compiled version="2.9.7"
Jun 24 06:30:33 localhost.localdomain myapp[13372]: [Fri Jun 23 21:30:33.033291 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
Jun 24 06:30:33 localhost.localdomain myapp[13372]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.0.2.100. Set the 'ServerName' directive globally to suppress this message
Jun 24 06:30:33 localhost.localdomain myapp[13372]: [Fri Jun 23 21:30:33.224534 2023] [ssl:warn] [pid 1:tid 274978919680] AH01909: 10.0.2.100:8443:0 server certificate does NOT include an ID which matches the server name
Jun 24 06:30:33 localhost.localdomain myapp[13372]: [Fri Jun 23 21:30:33.228819 2023] [lbmethod_heartbeat:notice] [pid 1:tid 274978919680] AH02282: No slotmem from mod_heartmonitor
Jun 24 06:30:33 localhost.localdomain myapp[13372]: [Fri Jun 23 21:30:33.250790 2023] [mpm_event:notice] [pid 1:tid 274978919680] AH00489: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1g configured -- resuming normal operations
Jun 24 06:30:33 localhost.localdomain myapp[13372]: [Fri Jun 23 21:30:33.251166 2023] [core:notice] [pid 1:tid 274978919680] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[user@localhost ~]$
[user@localhost ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
da0ca6eb2d15 quay.io/rhatdan/myimage:latest /usr/bin/run-http... 15 seconds ago Up 15 seconds 0.0.0.0:8080->8080/tcp myapp
Original
$ systemctl --user stop myapp-new
$ podman rm myapp --force -t 0
Check
$ systemctl --user stop myapp-new
$ podman rm myapp --force -t 0
Original
$ podman create --label "io.containers.autoupdate=registry" -p 8080:8080 --name myapp quay.io/rhatdan/myimage
397ad15601868eb6fd77fe0b67136869cde9e0ffad90ee5095a19de5bb4b999e
Check
$ podman push quay.io/rhatdan/myimage quay.io/tnk4on/myimage
$ podman create --label "io.containers.autoupdate=registry" -p 8080:8080 --name myapp quay.io/tnk4on/myimage
Original
$ podman generate systemd myapp --new > $HOME/.config/systemd/user/myapp-new.service
Check
$ podman generate systemd myapp --new > $HOME/.config/systemd/user/myapp-new.service
Original
$ systemctl --user daemon-reload
$ systemctl --user start myapp-new
Check
$ systemctl --user daemon-reload
$ systemctl --user start myapp-new
Original
$ podman exec -i myapp bash -c 'cat > /var/www/html/index.html' << _EOF
<html>
<head>
</head>
<body>
<h1>Welcome to the new Hello World<h1>
</body>
</html>
_EOF
Check
$ podman exec -i myapp bash -c 'cat > /var/www/html/index.html' << _EOF
<html>
<head>
</head>
<body>
<h1>Welcome to the new Hello World<h1>
</body>
</html>
_EOF
Original
$ podman commit myapp quay.io/rhatdan/myimage-new
...
226ec055eef82ac185c53a26de9e98da4e6403640e72c7461a711edcbcaa2422
$ podman push quay.io/rhatdan/myimage-new quay.io/rhatdan/myimage
...
$ podman rmi quay.io/rhatdan/myimage-new
Check
$ podman commit myapp quay.io/tnk4on/myimage-new
WARN[0000] archive: skipping "/home/user/.local/share/containers/storage/overlay/91d069c30058593359dbe3f42780b31b07f9389a5e12016d2763627a269c5282/diff/run/httpd/cgisock.1" since it is a socket
Getting image source signatures
Copying blob e39c3abf0df9 skipped: already exists
Copying blob 8f26704f753c skipped: already exists
Copying blob 83310c7c677c skipped: already exists
Copying blob 654b3bf1361e skipped: already exists
Copying blob 164d51196137 skipped: already exists
Copying blob 6964cdc0c198 done
Copying config 567e7b13bc done
Writing manifest to image destination
Storing signatures
567e7b13bccd95f69166301e0c4b142b0b98bef5ec765b801aa969e5347ff007
$ podman push quay.io/tnk4on/myimage-new quay.io/tnk4on/myimage
Getting image source signatures
Copying blob 6964cdc0c198 done
Copying blob c7765172d3ce skipped: already exists
Copying blob a1eadb69adf1 skipped: already exists
Copying blob e3460238f8a1 skipped: already exists
Copying blob dfd8c625d022 skipped: already exists
Copying blob 2b782a9ad894 skipped: already exists
Copying config 567e7b13bc done
Writing manifest to image destination
Storing signatures
$ podman rmi quay.io/tnk4on/myimage-new:latest
Untagged: quay.io/tnk4on/myimage-new:latest
Deleted: 567e7b13bccd95f69166301e0c4b142b0b98bef5ec765b801aa969e5347ff007
Original
$ podman auto-update
Trying to pull quay.io/rhatdan/myimage...
Getting image source signatures
Copying blob ecfb9899f4ce done
Copying config 37e5619f4a done
Writing manifest to image destination
Storing signatures
UNIT CONTAINER IMAGE POLICY UPDATED
myapp-new.service c8888d1319c4 (myapp) quay.io/rhatdan/myimage registry true
Check
$ podman auto-update
Trying to pull quay.io/tnk4on/myimage:latest...
Getting image source signatures
Copying blob a05a0ad89c28 skipped: already exists
Copying blob c7765172d3ce skipped: already exists
Copying blob 2b782a9ad894 skipped: already exists
Copying blob dfd8c625d022 skipped: already exists
Copying blob a1eadb69adf1 skipped: already exists
Copying blob e3460238f8a1 skipped: already exists
Copying config 96b9c6b2e7 done
Writing manifest to image destination
Storing signatures
UNIT CONTAINER IMAGE POLICY UPDATED
myapp-new.service 6dae743f5ab1 (myapp) quay.io/tnk4on/myimage registry true
Original
$ systemctl --user stop myapp.service
$ cat > $HOME/.config/systemd/user/myapp.socket <<_EOF
[Unit]
Description=myapp socket service
PartOf=myapp.service
[Socket]
ListenStream=127.0.0.1:8080
WantedBy=sockets.target
[Install]
_EOF
Check
$ systemctl --user stop myapp.service
$ cat > $HOME/.config/systemd/user/myapp.socket <<_EOF
[Unit]
Description=myapp socket service
PartOf=myapp.service
[Socket]
ListenStream=0.0.0.0:8080
[Install]
WantedBy=sockets.target
_EOF
Original
$ systemctl --user enable --now myapp.socket
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
Check
$ systemctl --user stop myapp-new.service
$ systemctl --user enable --now myapp.socket
Created symlink /home/user/.config/systemd/user/sockets.target.wants/myapp.socket → /home/user/.config/systemd/user/myapp.socket.
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
$ ss -ltnup | grep 8080
tcp LISTEN 0 4096 127.0.0.1:8080 0.0.0.0:* users:(("systemd",pid=964,fd=24))
Original
$ podman rm -f --ignore myapp
myapp
$ podman create -p 8080:8080 --name myapp quay.io/rhatdan/myimage
aca28e84eb6fca47883a201fe9b067ff6256a28f71069b1628d44d5e54cd073b
Check
$ podman rm -f --ignore myapp
myapp
$ podman create -p 8080:8080 --name myapp quay.io/rhatdan/myimage
36b5fdd192e84cfdab88a8c6f8f06ba736d907c8c0f66ffcaaf0c6645931d55b
Original
$ podman kube generate myapp > myapp.yaml
$ cat myapp.yaml
# Save the output of this file and use kubectl create -f to import
# it into Kubernetes.
#
# Created with podman-4.4.1
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2023-05-20T16:35:47Z"
labels:
app: myapp-pod
name: myapp-pod
spec:
containers:
- args:
- /usr/bin/run-httpd
image: quay.io/rhatdan/myimage:latest
name: myapp
ports:
- containerPort: 8080
hostPort: 8080
securityContext:
runAsNonRoot: true
Check
$ podman kube generate myapp > myapp.yaml
$ cat myapp.yaml
# Save the output of this file and use kubectl create -f to import
# it into Kubernetes.
#
# Created with podman-4.5.1
apiVersion: v1
kind: Pod
metadata:
annotations:
io.podman.annotations.ulimit: nofile=524288:524288,nproc=15161:15161
creationTimestamp: "2023-06-23T23:36:57Z"
labels:
app: myapp-pod
name: myapp-pod
spec:
containers:
- args:
- /usr/bin/run-httpd
env:
- name: foo
value: bar
image: quay.io/rhatdan/myimage:latest
name: myapp
ports:
- containerPort: 8080
hostPort: 8080
securityContext:
runAsNonRoot: true
Original
$ podman rm -f --ignore myapp
myapp
$ podman kube play myapp.yaml
Pod:
826a2b6363ff0454fd53ab3a95ed28d0669a2c3961dd5344d56e390aa3e5e594
Container:
8bac49a7a041eaa8c5732200da376196327506e914131b9aced93ccce8e56923
15a0d7fb5a47069b4c19097ebea699265e395e29cc135732cb4d8bb78d7e5cd2
Check
$ podman kube play myapp.yaml
Pod:
e5305627f8fb4dba45892c2d24d249a18c9e6ca6bdfb10b3d83015a424a3cb64
Container:
1bf6fa27bea413232b1ca69f8dbcd1623fc6aa083d561b2301d7f9e72e8106f2
Original
$ podman pod ps --ctr-names
POD ID NAME STATUS CREATED INFRA ID NAMES
826a2b6363ff myapp-pod Running About a minute ago 24e9ee92fef8 826a2b6363ff-infra,myapp-pod-myapp
Check
$ podman pod ps --ctr-names
POD ID NAME STATUS CREATED INFRA ID NAMES
e5305627f8fb myapp-pod Running 2 minutes ago 7fcec53cef58 myapp-pod-myapp,e5305627f8fb-infra
Original
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
24e9ee92fef8 localhost/podman-pause:4.4.1-1682527828 2 minutes ago Up 2 minutes 0.0.0.0:8080->8080/tcp 826a2b6363ff-infra
8bac49a7a041 quay.io/rhatdan/myimage:latest /usr/bin/run-http... 2 minutes ago Up 2 minutes 0.0.0.0:8080->8080/tcp myapp-pod-myapp
Check
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7fcec53cef58 localhost/podman-pause:4.5.1-1685123899 3 minutes ago Up 3 minutes 0.0.0.0:8080->8080/tcp e5305627f8fb-infra
1bf6fa27bea4 quay.io/rhatdan/myimage:latest /usr/bin/run-http... 3 minutes ago Up 3 minutes 0.0.0.0:8080->8080/tcp myapp-pod-myapp
Original
$ podman pod stop myapp-pod
826a2b6363ff0454fd53ab3a95ed28d0669a2c3961dd5344d56e390aa3e5e594
Check
$ podman pod stop myapp-pod
e5305627f8fb4dba45892c2d24d249a18c9e6ca6bdfb10b3d83015a424a3cb64
Original
$ podman kube down myapp.yaml
Pods stopped:
826a2b6363ff0454fd53ab3a95ed28d0669a2c3961dd5344d56e390aa3e5e594
Pods removed:
826a2b6363ff0454fd53ab3a95ed28d0669a2c3961dd5344d56e390aa3e5e594
Volumes removed:
Check
$ podman kube down myapp.yaml
Pods stopped:
e5305627f8fb4dba45892c2d24d249a18c9e6ca6bdfb10b3d83015a424a3cb64
Pods removed:
e5305627f8fb4dba45892c2d24d249a18c9e6ca6bdfb10b3d83015a424a3cb64
Secrets removed:
Volumes removed:
Original
$ podman pod ps
POD ID NAME STATUS CREATED INFRA ID # OF CONTAINERS
Check
$ podman pod ps
POD ID NAME STATUS CREATED INFRA ID # OF CONTAINERS
Original
$ podman kube play myapp.yaml
Pod:
ca62cc94d14e383fa90778aa79c89225ab30b0c8fd2881d752d4bd8bcbd04a39
Container:
01d124ce7fc726d383895731ad7c4c7a83d9790479c2b2612a7475aab7a7608c
Check
$ podman kube play myapp.yaml
Pod:
3a114b4ba78d896c230b1da498592926827cdccd905c4668476727aff4f02515
Container:
62a3cc015fd31e74c20621aa6a4afc7b1286ecfe311b50c4f3c5e825724a788e
Original
$ cat > ./Containerfile << _EOF
FROM ubi8-init
RUN dnf -y install httpd; dnf -y clean all
RUN systemctl enable httpd.service
_EOF
Check
$ cat > ./Containerfile << _EOF
FROM ubi8-init
RUN dnf -y install httpd; dnf -y clean all
RUN systemctl enable httpd.service
_EOF
Original
$ podman pod rm --all --force
$ podman rm --all --force
Check
$ podman pod rm --all --force
3a114b4ba78d896c230b1da498592926827cdccd905c4668476727aff4f02515
$ podman rm --all --force
36b5fdd192e84cfdab88a8c6f8f06ba736d907c8c0f66ffcaaf0c6645931d55b
Original
$ podman build -t mysystemd .
STEP 1/3: FROM ubi8-init
STEP 2/3: RUN dnf -y install httpd; dnf -y clean all
Updating Subscription Management repositories.
Unable to read consumer identity
…
Successfully tagged localhost/mysystemd:latest
75175dacc4d346961662b052aae8deb48dd6179d79ecfdd1978d9a263e85eb6c
Check
$ podman build -t mysystemd .
STEP 1/3: FROM ubi8-init
Resolved "ubi8-init" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8-init:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob dc5bc235f26c done
Copying blob a94348648fdb done
Copying config 7853751841 done
Writing manifest to image destination
Storing signatures
STEP 2/3: RUN dnf -y install httpd; dnf -y clean all
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Red Hat Universal Base Image 8 (RPMs) - BaseOS 201 kB/s | 611 kB 00:03
Red Hat Universal Base Image 8 (RPMs) - AppStre 1.6 MB/s | 3.0 MB 00:01
Red Hat Universal Base Image 8 (RPMs) - CodeRea 50 kB/s | 69 kB 00:01
Dependencies resolved.
====================================================================================================
Package Arch Version Repository Size
====================================================================================================
Installing:
httpd aarch64 2.4.37-56.module+el8.8.0+18758+b3a9c8da.6 ubi-8-appstream-rpms 1.4 M
Installing dependencies:
apr aarch64 1.6.3-12.el8 ubi-8-appstream-rpms 123 k
apr-util aarch64 1.6.1-6.el8_8.1 ubi-8-appstream-rpms 104 k
httpd-filesystem noarch 2.4.37-56.module+el8.8.0+18758+b3a9c8da.6 ubi-8-appstream-rpms 43 k
httpd-tools aarch64 2.4.37-56.module+el8.8.0+18758+b3a9c8da.6 ubi-8-appstream-rpms 109 k
mailcap noarch 2.1.48-3.el8 ubi-8-baseos-rpms 39 k
mod_http2 aarch64 1.15.7-8.module+el8.8.0+18751+b4557bca.3 ubi-8-appstream-rpms 147 k
redhat-logos-httpd noarch 84.5-1.el8 ubi-8-baseos-rpms 29 k
Installing weak dependencies:
apr-util-bdb aarch64 1.6.1-6.el8_8.1 ubi-8-appstream-rpms 25 k
apr-util-openssl aarch64 1.6.1-6.el8_8.1 ubi-8-appstream-rpms 27 k
Enabling module streams:
httpd 2.4
Transaction Summary
====================================================================================================
Install 10 Packages
Total download size: 2.0 M
Installed size: 10 M
Downloading Packages:
(1/10): mailcap-2.1.48-3.el8.noarch.rpm 408 kB/s | 39 kB 00:00
(2/10): redhat-logos-httpd-84.5-1.el8.noarch.rp 302 kB/s | 29 kB 00:00
(3/10): apr-1.6.3-12.el8.aarch64.rpm 937 kB/s | 123 kB 00:00
(4/10): httpd-tools-2.4.37-56.module+el8.8.0+18 2.0 MB/s | 109 kB 00:00
(5/10): apr-util-1.6.1-6.el8_8.1.aarch64.rpm 2.2 MB/s | 104 kB 00:00
(6/10): apr-util-bdb-1.6.1-6.el8_8.1.aarch64.rp 609 kB/s | 25 kB 00:00
(7/10): apr-util-openssl-1.6.1-6.el8_8.1.aarch6 542 kB/s | 27 kB 00:00
(8/10): mod_http2-1.15.7-8.module+el8.8.0+18751 1.7 MB/s | 147 kB 00:00
(9/10): httpd-filesystem-2.4.37-56.module+el8.8 536 kB/s | 43 kB 00:00
(10/10): httpd-2.4.37-56.module+el8.8.0+18758+b 5.5 MB/s | 1.4 MB 00:00
--------------------------------------------------------------------------------
Total 5.7 MB/s | 2.0 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : apr-1.6.3-12.el8.aarch64 1/10
Running scriptlet: apr-1.6.3-12.el8.aarch64 1/10
Installing : apr-util-bdb-1.6.1-6.el8_8.1.aarch64 2/10
Installing : apr-util-openssl-1.6.1-6.el8_8.1.aarch64 3/10
Installing : apr-util-1.6.1-6.el8_8.1.aarch64 4/10
Running scriptlet: apr-util-1.6.1-6.el8_8.1.aarch64 4/10
Installing : httpd-tools-2.4.37-56.module+el8.8.0+18758+b3a9c8d 5/10
Running scriptlet: httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3 6/10
Installing : httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3 6/10
Installing : mailcap-2.1.48-3.el8.noarch 7/10
Installing : redhat-logos-httpd-84.5-1.el8.noarch 8/10
Installing : mod_http2-1.15.7-8.module+el8.8.0+18751+b4557bca.3 9/10
Installing : httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aa 10/10
Running scriptlet: httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aa 10/10
Verifying : redhat-logos-httpd-84.5-1.el8.noarch 1/10
Verifying : mailcap-2.1.48-3.el8.noarch 2/10
Verifying : apr-1.6.3-12.el8.aarch64 3/10
Verifying : httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aa 4/10
Verifying : httpd-tools-2.4.37-56.module+el8.8.0+18758+b3a9c8d 5/10
Verifying : apr-util-1.6.1-6.el8_8.1.aarch64 6/10
Verifying : apr-util-bdb-1.6.1-6.el8_8.1.aarch64 7/10
Verifying : apr-util-openssl-1.6.1-6.el8_8.1.aarch64 8/10
Verifying : mod_http2-1.15.7-8.module+el8.8.0+18751+b4557bca.3 9/10
Verifying : httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3 10/10
Installed products updated.
Installed:
apr-1.6.3-12.el8.aarch64
apr-util-1.6.1-6.el8_8.1.aarch64
apr-util-bdb-1.6.1-6.el8_8.1.aarch64
apr-util-openssl-1.6.1-6.el8_8.1.aarch64
httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64
httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.noarch
httpd-tools-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64
mailcap-2.1.48-3.el8.noarch
mod_http2-1.15.7-8.module+el8.8.0+18751+b4557bca.3.aarch64
redhat-logos-httpd-84.5-1.el8.noarch
Complete!
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
25 files removed
--> 969743fdbc31
STEP 3/3: RUN systemctl enable httpd.service
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
COMMIT mysystemd
--> c97ff438190c
Successfully tagged localhost/mysystemd:latest
c97ff438190cb8c7352e1b1fd503e8bca105481c87c494879e96aa66d8305586
Original
$ podman create --rm -p 8080:80 --name myapp -v ./html:/var/www/html:Z mysystemd
049b7c549c8fbc3e3fd796d60b07f0637506e7d63e97c0368047b63c7600a819
Check
$ podman create --rm -p 8080:80 --name myapp -v ./html:/var/www/html:Z mysystemd
d1979d17a5e9f49fb7d8f7e6cbed12f39c5fe3c2c2aa3642b71bd274334e855b
Original
$ podman kube generate myapp > myapp2.yaml
Check
$ podman kube generate myapp > myapp2.yaml
Original
$ cat myapp2.yaml
…
spec:
containers:
- image: localhost/mysystemd:latest
…
volumeMounts:
- mountPath: /var/www/html
name: root-html-host-0
volumes:
- hostPath:
path: /root/html
type: Directory
name: root-html-host-0
Check
$ cat myapp2.yaml
# Save the output of this file and use kubectl create -f to import
# it into Kubernetes.
#
# Created with podman-4.5.1
# NOTE: If you generated this yaml from an unprivileged and rootless podman container on an SELinux
# enabled system, check the podman generate kube man page for steps to follow to ensure that your pod/container
# has the right permissions to access the volumes added.
---
apiVersion: v1
kind: Pod
metadata:
annotations:
bind-mount-options: /home/user/html:Z
io.podman.annotations.ulimit: nofile=524288:524288,nproc=15161:15161
creationTimestamp: "2023-06-24T00:03:15Z"
labels:
app: myapp-pod
name: myapp-pod
spec:
containers:
- env:
- name: foo
value: bar
image: localhost/mysystemd:latest
name: myapp
ports:
- containerPort: 80
hostPort: 8080
volumeMounts:
- mountPath: /var/www/html
name: home-user-html-host-0
volumes:
- hostPath:
path: /home/user/html
type: Directory
name: home-user-html-host-0
spec: containers:
- image: localhost/mysystemd:latest
...
volumeMounts:
- mountPath: /var/www/html name: home-dwalsh-podman-html-host-0 volumes:
- hostPath: path: /home/dwalsh/podman/html type: Directory name: home-dwalsh-podman-html-host-0
Original
$ podman pod rm --all --force
$ podman rm --all --force fec6de5716ac246613723a4cc26407005e0bc315affdc62b56883bd94acd795e
$ podman rmi mysystemd
Untagged: localhost/mysystemd:latest
Deleted: bb1634ce1457f2eb70f84af33599d211eae64cb5f951e40e91481b6e58b747bf Deleted: 70e0c1a7580089420267b5928210ad59fdd555603e647b462159ea94f97946f9
Check
$ podman pod rm --all --force
$ podman rm --all --force
d1979d17a5e9f49fb7d8f7e6cbed12f39c5fe3c2c2aa3642b71bd274334e855b
$ podman rmi mysystemd
Untagged: localhost/mysystemd:latest
Deleted: c97ff438190cb8c7352e1b1fd503e8bca105481c87c494879e96aa66d8305586
Deleted: 969743fdbc31680c40fc358d3c6ac2c8ca222a9d9875987badf3752500f0ac31
Original
$ mkdir mysystemd
$ mv Containerfile mysystemd/
Check
$ mkdir mysystemd
$ mv Containerfile mysystemd/
Original
$ podman kube play --build myapp2.yaml
STEP 1/3: FROM ubi8-init
STEP 2/3: RUN dnf -y install httpd; dnf -y clean all
Updating Subscription Management repositories.
…
--> 9a2ab8bed24
Successfully tagged localhost/mysystemd:latest
9a2ab8bed2401a2c57fb3211bc054ce08a96adaf4789fd255fc57c828a8a92b4
Pod:
9fbc9089765121a6350c6b2da9ba41e9f20e25e5a7aee243fc51ff78a21b15c3
Container:
06f5e9c2a2e734d71f2acdd0f8ed91041fe5c20d8e6781c79f29d55cad877bcf
Check
$ podman kube play --build myapp2.yaml
STEP 1/3: FROM ubi8-init
STEP 2/3: RUN dnf -y install httpd; dnf -y clean all
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Red Hat Universal Base Image 8 (RPMs) - BaseOS 735 kB/s | 611 kB 00:00
Red Hat Universal Base Image 8 (RPMs) - AppStre 2.7 MB/s | 3.0 MB 00:01
Red Hat Universal Base Image 8 (RPMs) - CodeRea 105 kB/s | 69 kB 00:00
Dependencies resolved.
====================================================================================================
Package Arch Version Repository Size
====================================================================================================
Installing:
httpd aarch64 2.4.37-56.module+el8.8.0+18758+b3a9c8da.6 ubi-8-appstream-rpms 1.4 M
Installing dependencies:
apr aarch64 1.6.3-12.el8 ubi-8-appstream-rpms 123 k
apr-util aarch64 1.6.1-6.el8_8.1 ubi-8-appstream-rpms 104 k
httpd-filesystem noarch 2.4.37-56.module+el8.8.0+18758+b3a9c8da.6 ubi-8-appstream-rpms 43 k
httpd-tools aarch64 2.4.37-56.module+el8.8.0+18758+b3a9c8da.6 ubi-8-appstream-rpms 109 k
mailcap noarch 2.1.48-3.el8 ubi-8-baseos-rpms 39 k
mod_http2 aarch64 1.15.7-8.module+el8.8.0+18751+b4557bca.3 ubi-8-appstream-rpms 147 k
redhat-logos-httpd noarch 84.5-1.el8 ubi-8-baseos-rpms 29 k
Installing weak dependencies:
apr-util-bdb aarch64 1.6.1-6.el8_8.1 ubi-8-appstream-rpms 25 k
apr-util-openssl aarch64 1.6.1-6.el8_8.1 ubi-8-appstream-rpms 27 k
Enabling module streams:
httpd 2.4
Transaction Summary
====================================================================================================
Install 10 Packages
Total download size: 2.0 M
Installed size: 10 M
Downloading Packages:
(1/10): redhat-logos-httpd-84.5-1.el8.noarch.rp 94 kB/s | 29 kB 00:00
(2/10): mailcap-2.1.48-3.el8.noarch.rpm 120 kB/s | 39 kB 00:00
(3/10): apr-1.6.3-12.el8.aarch64.rpm 329 kB/s | 123 kB 00:00
(4/10): httpd-tools-2.4.37-56.module+el8.8.0+18 1.5 MB/s | 109 kB 00:00
(5/10): apr-util-1.6.1-6.el8_8.1.aarch64.rpm 1.9 MB/s | 104 kB 00:00
(6/10): apr-util-bdb-1.6.1-6.el8_8.1.aarch64.rp 546 kB/s | 25 kB 00:00
(7/10): apr-util-openssl-1.6.1-6.el8_8.1.aarch6 425 kB/s | 27 kB 00:00
(8/10): httpd-filesystem-2.4.37-56.module+el8.8 481 kB/s | 43 kB 00:00
(9/10): mod_http2-1.15.7-8.module+el8.8.0+18751 978 kB/s | 147 kB 00:00
(10/10): httpd-2.4.37-56.module+el8.8.0+18758+b 2.4 MB/s | 1.4 MB 00:00
--------------------------------------------------------------------------------
Total 2.2 MB/s | 2.0 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : apr-1.6.3-12.el8.aarch64 1/10
Running scriptlet: apr-1.6.3-12.el8.aarch64 1/10
Installing : apr-util-bdb-1.6.1-6.el8_8.1.aarch64 2/10
Installing : apr-util-openssl-1.6.1-6.el8_8.1.aarch64 3/10
Installing : apr-util-1.6.1-6.el8_8.1.aarch64 4/10
Running scriptlet: apr-util-1.6.1-6.el8_8.1.aarch64 4/10
Installing : httpd-tools-2.4.37-56.module+el8.8.0+18758+b3a9c8d 5/10
Running scriptlet: httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3 6/10
Installing : httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3 6/10
Installing : mailcap-2.1.48-3.el8.noarch 7/10
Installing : redhat-logos-httpd-84.5-1.el8.noarch 8/10
Installing : mod_http2-1.15.7-8.module+el8.8.0+18751+b4557bca.3 9/10
Installing : httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aa 10/10
Running scriptlet: httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aa 10/10
Verifying : redhat-logos-httpd-84.5-1.el8.noarch 1/10
Verifying : mailcap-2.1.48-3.el8.noarch 2/10
Verifying : apr-1.6.3-12.el8.aarch64 3/10
Verifying : httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aa 4/10
Verifying : httpd-tools-2.4.37-56.module+el8.8.0+18758+b3a9c8d 5/10
Verifying : apr-util-1.6.1-6.el8_8.1.aarch64 6/10
Verifying : apr-util-bdb-1.6.1-6.el8_8.1.aarch64 7/10
Verifying : apr-util-openssl-1.6.1-6.el8_8.1.aarch64 8/10
Verifying : mod_http2-1.15.7-8.module+el8.8.0+18751+b4557bca.3 9/10
Verifying : httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3 10/10
Installed products updated.
Installed:
apr-1.6.3-12.el8.aarch64
apr-util-1.6.1-6.el8_8.1.aarch64
apr-util-bdb-1.6.1-6.el8_8.1.aarch64
apr-util-openssl-1.6.1-6.el8_8.1.aarch64
httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64
httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.noarch
httpd-tools-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64
mailcap-2.1.48-3.el8.noarch
mod_http2-1.15.7-8.module+el8.8.0+18751+b4557bca.3.aarch64
redhat-logos-httpd-84.5-1.el8.noarch
Complete!
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
25 files removed
STEP 3/3: RUN systemctl enable httpd.service
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
COMMIT localhost/mysystemd:latest
--> 236f1577878d
Successfully tagged localhost/mysystemd:latest
236f1577878d06c112f46fd36b4347af529659ff4dd483239a45f4bf5c2c39d7
Pod:
aed736ef12a9629417e95a3d60a5cdfd022a463b880c3257bf506448887b0b14
Container:
5dcc3621e958cc53e467226227c7d9991e88571d07a071e39d3cee0040a358b2
Original
$ podman run --privileged quay.io/podman/stable podman version
Trying to pull quay.io/podman/stable:latest...
Getting image source signatures
…
Version: 4.5.0
API Version: 4.5.0
Go Version: go1.20.2
Built: Fri Apr 14 15:42:22 2023
OS/Arch: linux/amd64
Check
$ podman run --privileged quay.io/podman/stable podman version
Trying to pull quay.io/podman/stable:latest...
Getting image source signatures
Copying blob b5b544529191 done
Copying blob cf68ce42903d done
Copying blob f5cdf37d6945 done
Copying blob be29a729e8b3 done
Copying blob 90065776a2dd done
Copying blob 1625e7b3ee80 done
Copying blob eaa9134f1553 done
Copying blob 11deb5a32965 done
Copying config c0ea429a33 done
Writing manifest to image destination
Storing signatures
Client: Podman Engine
Version: 4.5.1
API Version: 4.5.1
Go Version: go1.20.4
Built: Fri May 26 17:58:19 2023
OS/Arch: linux/arm64
Original
$ podman run --cap-drop=all --cap-add CAP_SETUID,CAP_SETGID --user podman quay.io/podman/stable podman version
$ podman run --cap-drop=all --cap-add CAP_SETUID,CAP_SETGID --user podman quay.io/podman/stable podman version
Client: Podman Engine
Version: 4.5.1
API Version: 4.5.1
Go Version: go1.20.4
Built: Fri May 26 17:58:19 2023
OS/Arch: linux/arm64
Original
$ podman system service
Check
$ podman system service
- after 5 seconds you will see the command exit
Original
$ systemctl --user enable podman.socket Created symlink
➥ /home/dwalsh/.config/systemd/user/sockets.target.wants/podman.socket ?
➥ /usr/lib/systemd/user/podman.socket.
$ systemctl --user start podman.socket
Check
$ systemctl --user enable podman.socket
Created symlink /home/user/.config/systemd/user/sockets.target.wants/podman.socket → /usr/lib/systemd/user/podman.socket.
$ systemctl --user start podman.socket
Original
$ ls $XDG_RUNTIME_DIR/podman/podman.sock
/run/user/3267/podman/podman.sock
Check
$ ls $XDG_RUNTIME_DIR/podman/podman.sock
/run/user/1000/podman/podman.sock
Original
$ curl -s --unix-socket $XDG_RUNTIME_DIR/podman/podman.sock
➥ http://d/v1.0.0/libpod/version | jq
{
"Platform": {
"Name": "linux/amd64/fedora-35"
},
"Components": [
{
"Name": "Podman Engine",
"Version": "4.0.0-dev",
"Details": {
"APIVersion": "4.0.0-dev",
"Arch": "amd64",
"BuildTime": "2022-01-04T13:42:14-05:00",
"Experimental": "false",
"GitCommit": "66ffbc845d1f0fd5c29611ac3f09daa24749dc1e-dirty",
"GoVersion": "go1.16.12",
"KernelVersion": "5.15.10-200.fc35.x86_64",
"MinAPIVersion": "3.1.0",
"Os": "linux"
}
}, {
},
"Name": "Conmon",
"Version": "conmon version 2.0.30, commit: ",
"Details": {
"Package": "conmon-2.0.30-2.fc35.x86_64"
}
{
"Name": "OCI Runtime (crun)",
"Version": "crun version 1.4\ncommit:
3daded072ef008ef0840e8eccb0b52a7efbd165d\nspec: 1.0.0\n+SYSTEMD ➥ +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL",
"Details": {
"Package": "crun-1.4-1.fc35.x86_64"
} }
],
"Version": "4.0.0-dev",
"ApiVersion": "1.40",
"MinAPIVersion": "1.24",
"GitCommit": "66ffbc845d1f0fd5c29611ac3f09daa24749dc1e-dirty",
"GoVersion": "go1.16.12",
"Os": "linux",
"Arch": "amd64",
"KernelVersion": "5.15.10-200.fc35.x86_64",
"BuildTime": "2022-01-04T13:42:14-05:00"
}
Check
$ curl -s --unix-socket $XDG_RUNTIME_DIR/podman/podman.sock http://d/v1.0.0/libpod/version | jq
{
"Platform": {
"Name": "linux/arm64/fedora-38"
},
"Components": [
{
"Name": "Podman Engine",
"Version": "4.5.1",
"Details": {
"APIVersion": "4.5.1",
"Arch": "arm64",
"BuildTime": "2023-05-27T02:58:19+09:00",
"Experimental": "false",
"GitCommit": "",
"GoVersion": "go1.20.4",
"KernelVersion": "6.2.9-300.fc38.aarch64",
"MinAPIVersion": "4.0.0",
"Os": "linux"
}
},
{
"Name": "Conmon",
"Version": "conmon version 2.1.7, commit: ",
"Details": {
"Package": "conmon-2.1.7-2.fc38.aarch64"
}
},
{
"Name": "OCI Runtime (crun)",
"Version": "crun version 1.8.5\ncommit: b6f80f766c9a89eb7b1440c0a70ab287434b17ed\nrundir: /run/user/1000/crun\nspec: 1.0.0\n+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL",
"Details": {
"Package": "crun-1.8.5-1.fc38.aarch64"
}
}
],
"Version": "4.5.1",
"ApiVersion": "1.41",
"MinAPIVersion": "1.24",
"GitCommit": "",
"GoVersion": "go1.20.4",
"Os": "linux",
"Arch": "arm64",
"KernelVersion": "6.2.9-300.fc38.aarch64",
"BuildTime": "2023-05-27T02:58:19+09:00"
}
Original
$ curl -s --unix-socket $XDG_RUNTIME_DIR/podman/podman.sock http://d/v1.0.0/libpod/images/json | jq
[
{
"Id": "848cc2fe875c3a5cb0e98c56527af1a8e147f37ed7352a79e950fb8bf7c403e1",
"ParentId": "d82a426d9db28a07485613f0c2b72cfb6f64bfa0a745ec0d29fe56d82d62c3dd",
"RepoTags": [
"localhost/myimage:latest"
],
…
}
]
Check
$ curl -s --unix-socket $XDG_RUNTIME_DIR/podman/podman.sock http://d/v1.0.0/libpod/images/json | jq
[
{
"Id": "2c7e43d880382561ebae3fa06c7a1442d0da2912786d09ea9baaef87f73c29ae",
"ParentId": "",
"RepoTags": [
"quay.io/rhatdan/myimage:latest"
],
"RepoDigests": [
"quay.io/rhatdan/myimage@sha256:0460a9d13a806e124639b23e9d6ffa1e5773f7bef91469bee6ac88a4be213427"
],
"Created": 1631099209,
"Size": 461695134,
"SharedSize": 0,
"VirtualSize": 461695134,
"Labels": {
"architecture": "x86_64",
"build-date": "2021-08-05T06:23:13.478839",
"com.redhat.build-host": "cpt-1001.osbs.prod.upshift.rdu2.redhat.com",
"com.redhat.component": "httpd-24-container",
"com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
"description": "Apache httpd 2.4 available as container, is a powerful, efficient, and extensible web server. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Virtual hosting allows one Apache installation to serve many different Web sites.",
"distribution-scope": "public",
"io.k8s.description": "Apache httpd 2.4 available as container, is a powerful, efficient, and extensible web server. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Virtual hosting allows one Apache installation to serve many different Web sites.",
"io.k8s.display-name": "Apache httpd 2.4",
"io.openshift.expose-services": "8080:http,8443:https",
"io.openshift.s2i.scripts-url": "image:///usr/libexec/s2i",
"io.openshift.tags": "builder,httpd,httpd-24",
"io.s2i.scripts-url": "image:///usr/libexec/s2i",
"maintainer": "SoftwareCollections.org <sclorg@redhat.com>",
"name": "ubi8/httpd-24",
"release": "152",
"summary": "Platform for running Apache httpd 2.4 or building httpd-based application",
"url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/httpd-24/images/1-152",
"usage": "s2i build https://github.com/sclorg/httpd-container.git --context-dir=examples/sample-test-app/ ubi8/httpd-24 sample-server",
"vcs-ref": "a90adf6894f1618e032e11f0bcaf23839daaf1c4",
"vcs-type": "git",
"vendor": "Red Hat, Inc.",
"version": "1"
},
"Containers": 0,
"Names": [
"quay.io/rhatdan/myimage:latest"
],
"Digest": "sha256:0460a9d13a806e124639b23e9d6ffa1e5773f7bef91469bee6ac88a4be213427",
"History": [
"quay.io/rhatdan/myimage:latest"
]
},
{
"Id": "70d0b9ca9475c26570b8680f382809267c4c0df3e69111945009c092a92a4f1b",
"ParentId": "",
"RepoTags": [
"localhost/podman-pause:4.5.1-1685123899"
],
"RepoDigests": [
"localhost/podman-pause@sha256:b7fff239a65295d77ecde0d416ad7fa044113b645bdd2d87635e2b681a124af7"
],
"Created": 1687563686,
"Size": 1111168,
"SharedSize": 0,
"VirtualSize": 1111168,
"Labels": {
"io.buildah.version": "1.30.0"
},
"Containers": 1,
"Names": [
"localhost/podman-pause:4.5.1-1685123899"
],
"Digest": "sha256:b7fff239a65295d77ecde0d416ad7fa044113b645bdd2d87635e2b681a124af7",
"History": [
"localhost/podman-pause:4.5.1-1685123899"
]
},
{
"Id": "7853751841780843706c6a8814118218fc4f32bd72232e0a2b54cc49379af532",
"ParentId": "",
"RepoTags": [
"registry.access.redhat.com/ubi8-init:latest"
],
"RepoDigests": [
"registry.access.redhat.com/ubi8-init@sha256:63560f0d13fc1599e17cd966e9f7ebe6beeccd238a196ee6b39586d4e96a358e",
"registry.access.redhat.com/ubi8-init@sha256:bca2e5771c3f4e247546cc71afccc6929e38bacb554b74fb01e43efc1711a76d"
],
"Created": 1683183782,
"Size": 254102881,
"SharedSize": 0,
"VirtualSize": 254102881,
"Labels": {
"architecture": "aarch64",
"build-date": "2023-05-04T07:00:52",
"com.redhat.component": "ubi8-init-container",
"com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
"description": "The Universal Base Image Init is designed is designed to run an init system as PID 1 for running multi-services inside a container. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
"distribution-scope": "public",
"io.buildah.version": "1.27.3",
"io.k8s.description": "The Universal Base Image Init is designed is designed to run an init system as PID 1 for running multi-services inside a container. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
"io.k8s.display-name": "Red Hat Universal Base Image 8 Init",
"io.openshift.expose-services": "",
"io.openshift.tags": "base rhel8",
"maintainer": "Red Hat, Inc.",
"name": "ubi8/ubi8-init",
"release": "6",
"summary": "Provides the latest release of the Red Hat Universal Base Image 8 Init for multi-service containers.",
"url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/ubi8-init/images/8.8-6",
"usage": "Do not use directly. Use as a base image for daemons. Install chosen packages and 'systemctl enable' them.",
"vcs-ref": "20d876985dfd3b8c82f1b80e9a688534a5f868db",
"vcs-type": "git",
"vendor": "Red Hat, Inc.",
"version": "8.8"
},
"Containers": 0,
"Names": [
"registry.access.redhat.com/ubi8-init:latest"
],
"Digest": "sha256:63560f0d13fc1599e17cd966e9f7ebe6beeccd238a196ee6b39586d4e96a358e",
"History": [
"registry.access.redhat.com/ubi8-init:latest"
]
},
{
"Id": "236f1577878d06c112f46fd36b4347af529659ff4dd483239a45f4bf5c2c39d7",
"ParentId": "",
"RepoTags": [
"localhost/mysystemd:latest"
],
"RepoDigests": [
"localhost/mysystemd@sha256:1ccbe18f1964b2ee7e93b1ae03fc7998c32337f4a3e40812944f4ee05ed33f91"
],
"Created": 1687566193,
"Size": 282394338,
"SharedSize": 0,
"VirtualSize": 282394338,
"Labels": {
"architecture": "aarch64",
"build-date": "2023-05-04T07:00:52",
"com.redhat.component": "ubi8-init-container",
"com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
"description": "The Universal Base Image Init is designed is designed to run an init system as PID 1 for running multi-services inside a container. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
"distribution-scope": "public",
"io.buildah.version": "1.30.0",
"io.k8s.description": "The Universal Base Image Init is designed is designed to run an init system as PID 1 for running multi-services inside a container. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
"io.k8s.display-name": "Red Hat Universal Base Image 8 Init",
"io.openshift.expose-services": "",
"io.openshift.tags": "base rhel8",
"maintainer": "Red Hat, Inc.",
"name": "ubi8/ubi8-init",
"release": "6",
"summary": "Provides the latest release of the Red Hat Universal Base Image 8 Init for multi-service containers.",
"url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/ubi8-init/images/8.8-6",
"usage": "Do not use directly. Use as a base image for daemons. Install chosen packages and 'systemctl enable' them.",
"vcs-ref": "20d876985dfd3b8c82f1b80e9a688534a5f868db",
"vcs-type": "git",
"vendor": "Red Hat, Inc.",
"version": "8.8"
},
"Containers": 1,
"Names": [
"localhost/mysystemd:latest"
],
"Digest": "sha256:1ccbe18f1964b2ee7e93b1ae03fc7998c32337f4a3e40812944f4ee05ed33f91",
"History": [
"localhost/mysystemd:latest"
]
},
{
"Id": "c0ea429a33ed42d467dc026f289ba1fc9f0b8001a62ab938281e1ca2067e938a",
"ParentId": "",
"RepoTags": [
"quay.io/podman/stable:latest"
],
"RepoDigests": [
"quay.io/podman/stable@sha256:9d4e98fd4d7006fa517f2668ae5a67a184d88e521c0bedb2168ad3d86310a984",
"quay.io/podman/stable@sha256:dbf78b45133f7ceb91c0a74e1001c7c35f50e7b78a9890b90546e8ad8fff4d56"
],
"Created": 1687547133,
"Size": 714268105,
"SharedSize": 0,
"VirtualSize": 714268105,
"Labels": {
"io.buildah.version": "1.30.0",
"license": "MIT",
"name": "fedora",
"org.opencontainers.image.created": "2023-06-23T18:20:33+00:00",
"org.opencontainers.image.source": "https://github.com/containers/podman.git",
"org.opencontainers.image.version": "4.5.1",
"vendor": "Fedora Project",
"version": "38"
},
"Containers": 2,
"Names": [
"quay.io/podman/stable:latest"
],
"Digest": "sha256:dbf78b45133f7ceb91c0a74e1001c7c35f50e7b78a9890b90546e8ad8fff4d56",
"History": [
"quay.io/podman/stable:latest"
]
}
]
Original
$ curl -s --unix-socket $XDG_RUNTIME_DIR/podman/podman.sock http://d/v1.0.0/images/json | jq
[
{
"Id": "848cc2fe875c3a5cb0e98c56527af1a8e147f37ed7352a79e950fb8bf7c403e1",
"ParentId": "d82a426d9db28a07485613f0c2b72cfb6f64bfa0a745ec0d29fe56d82d62c3dd",
"RepoTags": [
"localhost/myimage:latest"
],
…
}
]
Check
$ curl -s --unix-socket $XDG_RUNTIME_DIR/podman/podman.sock http://d/v1.0.0/images/json | jq
[
{
"Id": "sha256:2c7e43d880382561ebae3fa06c7a1442d0da2912786d09ea9baaef87f73c29ae",
"ParentId": "",
"RepoTags": [
"quay.io/rhatdan/myimage:latest"
],
"RepoDigests": [
"quay.io/rhatdan/myimage@sha256:0460a9d13a806e124639b23e9d6ffa1e5773f7bef91469bee6ac88a4be213427"
],
"Created": 1631099209,
"Size": 461695134,
"SharedSize": 0,
"VirtualSize": 461695134,
"Labels": {
"architecture": "x86_64",
"build-date": "2021-08-05T06:23:13.478839",
"com.redhat.build-host": "cpt-1001.osbs.prod.upshift.rdu2.redhat.com",
"com.redhat.component": "httpd-24-container",
"com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
"description": "Apache httpd 2.4 available as container, is a powerful, efficient, and extensible web server. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Virtual hosting allows one Apache installation to serve many different Web sites.",
"distribution-scope": "public",
"io.k8s.description": "Apache httpd 2.4 available as container, is a powerful, efficient, and extensible web server. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Virtual hosting allows one Apache installation to serve many different Web sites.",
"io.k8s.display-name": "Apache httpd 2.4",
"io.openshift.expose-services": "8080:http,8443:https",
"io.openshift.s2i.scripts-url": "image:///usr/libexec/s2i",
"io.openshift.tags": "builder,httpd,httpd-24",
"io.s2i.scripts-url": "image:///usr/libexec/s2i",
"maintainer": "SoftwareCollections.org <sclorg@redhat.com>",
"name": "ubi8/httpd-24",
"release": "152",
"summary": "Platform for running Apache httpd 2.4 or building httpd-based application",
"url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/httpd-24/images/1-152",
"usage": "s2i build https://github.com/sclorg/httpd-container.git --context-dir=examples/sample-test-app/ ubi8/httpd-24 sample-server",
"vcs-ref": "a90adf6894f1618e032e11f0bcaf23839daaf1c4",
"vcs-type": "git",
"vendor": "Red Hat, Inc.",
"version": "1"
},
"Containers": 0,
"Names": [
"quay.io/rhatdan/myimage:latest"
],
"Digest": "sha256:0460a9d13a806e124639b23e9d6ffa1e5773f7bef91469bee6ac88a4be213427",
"History": [
"quay.io/rhatdan/myimage:latest"
]
},
{
"Id": "sha256:70d0b9ca9475c26570b8680f382809267c4c0df3e69111945009c092a92a4f1b",
"ParentId": "",
"RepoTags": [
"localhost/podman-pause:4.5.1-1685123899"
],
"RepoDigests": [
"localhost/podman-pause@sha256:b7fff239a65295d77ecde0d416ad7fa044113b645bdd2d87635e2b681a124af7"
],
"Created": 1687563686,
"Size": 1111168,
"SharedSize": 0,
"VirtualSize": 1111168,
"Labels": {
"io.buildah.version": "1.30.0"
},
"Containers": 1,
"Names": [
"localhost/podman-pause:4.5.1-1685123899"
],
"Digest": "sha256:b7fff239a65295d77ecde0d416ad7fa044113b645bdd2d87635e2b681a124af7",
"History": [
"localhost/podman-pause:4.5.1-1685123899"
]
},
{
"Id": "sha256:7853751841780843706c6a8814118218fc4f32bd72232e0a2b54cc49379af532",
"ParentId": "",
"RepoTags": [
"registry.access.redhat.com/ubi8-init:latest"
],
"RepoDigests": [
"registry.access.redhat.com/ubi8-init@sha256:63560f0d13fc1599e17cd966e9f7ebe6beeccd238a196ee6b39586d4e96a358e",
"registry.access.redhat.com/ubi8-init@sha256:bca2e5771c3f4e247546cc71afccc6929e38bacb554b74fb01e43efc1711a76d"
],
"Created": 1683183782,
"Size": 254102881,
"SharedSize": 0,
"VirtualSize": 254102881,
"Labels": {
"architecture": "aarch64",
"build-date": "2023-05-04T07:00:52",
"com.redhat.component": "ubi8-init-container",
"com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
"description": "The Universal Base Image Init is designed is designed to run an init system as PID 1 for running multi-services inside a container. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
"distribution-scope": "public",
"io.buildah.version": "1.27.3",
"io.k8s.description": "The Universal Base Image Init is designed is designed to run an init system as PID 1 for running multi-services inside a container. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
"io.k8s.display-name": "Red Hat Universal Base Image 8 Init",
"io.openshift.expose-services": "",
"io.openshift.tags": "base rhel8",
"maintainer": "Red Hat, Inc.",
"name": "ubi8/ubi8-init",
"release": "6",
"summary": "Provides the latest release of the Red Hat Universal Base Image 8 Init for multi-service containers.",
"url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/ubi8-init/images/8.8-6",
"usage": "Do not use directly. Use as a base image for daemons. Install chosen packages and 'systemctl enable' them.",
"vcs-ref": "20d876985dfd3b8c82f1b80e9a688534a5f868db",
"vcs-type": "git",
"vendor": "Red Hat, Inc.",
"version": "8.8"
},
"Containers": 0,
"Names": [
"registry.access.redhat.com/ubi8-init:latest"
],
"Digest": "sha256:63560f0d13fc1599e17cd966e9f7ebe6beeccd238a196ee6b39586d4e96a358e",
"History": [
"registry.access.redhat.com/ubi8-init:latest"
]
},
{
"Id": "sha256:236f1577878d06c112f46fd36b4347af529659ff4dd483239a45f4bf5c2c39d7",
"ParentId": "",
"RepoTags": [
"localhost/mysystemd:latest"
],
"RepoDigests": [
"localhost/mysystemd@sha256:1ccbe18f1964b2ee7e93b1ae03fc7998c32337f4a3e40812944f4ee05ed33f91"
],
"Created": 1687566193,
"Size": 282394338,
"SharedSize": 0,
"VirtualSize": 282394338,
"Labels": {
"architecture": "aarch64",
"build-date": "2023-05-04T07:00:52",
"com.redhat.component": "ubi8-init-container",
"com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
"description": "The Universal Base Image Init is designed is designed to run an init system as PID 1 for running multi-services inside a container. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
"distribution-scope": "public",
"io.buildah.version": "1.30.0",
"io.k8s.description": "The Universal Base Image Init is designed is designed to run an init system as PID 1 for running multi-services inside a container. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
"io.k8s.display-name": "Red Hat Universal Base Image 8 Init",
"io.openshift.expose-services": "",
"io.openshift.tags": "base rhel8",
"maintainer": "Red Hat, Inc.",
"name": "ubi8/ubi8-init",
"release": "6",
"summary": "Provides the latest release of the Red Hat Universal Base Image 8 Init for multi-service containers.",
"url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/ubi8-init/images/8.8-6",
"usage": "Do not use directly. Use as a base image for daemons. Install chosen packages and 'systemctl enable' them.",
"vcs-ref": "20d876985dfd3b8c82f1b80e9a688534a5f868db",
"vcs-type": "git",
"vendor": "Red Hat, Inc.",
"version": "8.8"
},
"Containers": 1,
"Names": [
"localhost/mysystemd:latest"
],
"Digest": "sha256:1ccbe18f1964b2ee7e93b1ae03fc7998c32337f4a3e40812944f4ee05ed33f91",
"History": [
"localhost/mysystemd:latest"
]
},
{
"Id": "sha256:c0ea429a33ed42d467dc026f289ba1fc9f0b8001a62ab938281e1ca2067e938a",
"ParentId": "",
"RepoTags": [
"quay.io/podman/stable:latest"
],
"RepoDigests": [
"quay.io/podman/stable@sha256:9d4e98fd4d7006fa517f2668ae5a67a184d88e521c0bedb2168ad3d86310a984",
"quay.io/podman/stable@sha256:dbf78b45133f7ceb91c0a74e1001c7c35f50e7b78a9890b90546e8ad8fff4d56"
],
"Created": 1687547133,
"Size": 714268105,
"SharedSize": 0,
"VirtualSize": 714268105,
"Labels": {
"io.buildah.version": "1.30.0",
"license": "MIT",
"name": "fedora",
"org.opencontainers.image.created": "2023-06-23T18:20:33+00:00",
"org.opencontainers.image.source": "https://github.com/containers/podman.git",
"org.opencontainers.image.version": "4.5.1",
"vendor": "Fedora Project",
"version": "38"
},
"Containers": 2,
"Names": [
"quay.io/podman/stable:latest"
],
"Digest": "sha256:dbf78b45133f7ceb91c0a74e1001c7c35f50e7b78a9890b90546e8ad8fff4d56",
"History": [
"quay.io/podman/stable:latest"
]
}
]
Original
$ podman pod create --name mypod
116291543d5691c597132ec73a428f29f2c1f71a65fdfbaca17eb5440a5d47f6
Check
$ podman pod create --name mypod
3695aae563b8f63f2b1e779101c5fa781b67246e4fd5e16c4282b0f39f5b0f36
Original
$ curl -s --unix-socket $XDG_RUNTIME_DIR/podman/podman.sock
➥ http://d/v1.0.0/libpod/pods/json | jq [
{
"Cgroup": "user.slice", “Containers": [
{
"Id": "8eeceeb4fd6aa3897e05b5361b5c27c6e98bc29707484f95994f49437536599e", "Names": "4b10a21c5b8c-infra",
"Status": "running"
} ],
"Created": "2022-01-05T06:51:52.604528462-05:00",
"Id": "4b10a21c5b8c2b4f8a598de1eace7b94918d813055891276c2472df856a7fbc1", "InfraId":
➥ "8eeceeb4fd6aa3897e05b5361b5c27c6e98bc29707484f95994f49437536599e", "Name": "test_pod",
"Namespace": "",
“Networks": [],
"Status": "Running",
"Labels": {} },
{
"Cgroup": "user.slice", "Containers": [
{
"Id": "7a7405a31917da7bde01a6000809e0ee12f40b69fc76963d87a8ae254b34d8c7", "Names": "e10eb9303705-infra",
"Status": "configured"
}
],
"Created": "2022-01-05T09:18:01.648324833-05:00",
"Id": "e10eb930370592834fc168a7460fabe9b3e0e20a54b48a2bf3236cecd75f8138", "InfraId":
➥ "7a7405a31917da7bde01a6000809e0ee12f40b69fc76963d87a8ae254b34d8c7", "Name": "mypod",
"Namespace": "",
"Networks": [],
"Status": "Created",
"Labels": {} }
]
Check
$ curl -s --unix-socket $XDG_RUNTIME_DIR/podman/podman.sock http://d/v1.0.0/libpod/pods/json | jq
[
{
"Cgroup": "user.slice",
"Containers": [
{
"Id": "eada551c04a382a16278f1c1fc89bbf13d0097c272b85b9d13442bd1f851f3d9",
"Names": "3695aae563b8-infra",
"Status": "created"
}
],
"Created": "2023-06-24T15:39:04.02905947+09:00",
"Id": "3695aae563b8f63f2b1e779101c5fa781b67246e4fd5e16c4282b0f39f5b0f36",
"InfraId": "eada551c04a382a16278f1c1fc89bbf13d0097c272b85b9d13442bd1f851f3d9",
"Name": "mypod",
"Namespace": "",
"Networks": [],
"Status": "Created",
"Labels": {}
},
{
"Cgroup": "user.slice",
"Containers": [
{
"Id": "5dcc3621e958cc53e467226227c7d9991e88571d07a071e39d3cee0040a358b2",
"Names": "myapp-pod-myapp",
"Status": "running"
},
{
"Id": "7e8f17c9545db2ca57955289cc3d2841ffb9c4aa92c0c918253e6d75fa23ffd7",
"Names": "aed736ef12a9-infra",
"Status": "running"
}
],
"Created": "2023-06-24T09:23:07.868262655+09:00",
"Id": "aed736ef12a9629417e95a3d60a5cdfd022a463b880c3257bf506448887b0b14",
"InfraId": "7e8f17c9545db2ca57955289cc3d2841ffb9c4aa92c0c918253e6d75fa23ffd7",
"Name": "myapp-pod",
"Namespace": "",
"Networks": [
"podman-default-kube-network"
],
"Status": "Running",
"Labels": {
"app": "myapp-pod"
}
}
]
Original
$ curl -s --unix-socket $XDG_RUNTIME_DIR/podman/podman.sock
➥ http://d/v1.0.0/pods/json
Not Found
Check
$ curl -s --unix-socket $XDG_RUNTIME_DIR/podman/podman.sock http://d/v1.0.0/pods/json
Not Found
Original
$ sudo dnf install -y python-docker
Check
$ sudo dnf install -y python-docker
[sudo] password for user:
Last metadata expiration check: 0:03:29 ago on Sat 24 Jun 2023 03:43:07 PM JST.
Dependencies resolved.
================================================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
================================================================================================================================================================================================================================================================================
Installing:
python3-docker noarch 5.0.3-3.fc38 fedora 291 k
Installing dependencies:
python3-websocket-client noarch 1.3.3-3.fc38 fedora 130 k
Transaction Summary
================================================================================================================================================================================================================================================================================
Install 2 Packages
Total download size: 421 k
Installed size: 1.5 M
Downloading Packages:
(1/2): python3-websocket-client-1.3.3-3.fc38.noarch.rpm 439 kB/s | 130 kB 00:00
(2/2): python3-docker-5.0.3-3.fc38.noarch.rpm 902 kB/s | 291 kB 00:00
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 151 kB/s | 421 kB 00:02
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-websocket-client-1.3.3-3.fc38.noarch 1/2
Installing : python3-docker-5.0.3-3.fc38.noarch 2/2
Running scriptlet: python3-docker-5.0.3-3.fc38.noarch 2/2
Verifying : python3-docker-5.0.3-3.fc38.noarch 1/2
Verifying : python3-websocket-client-1.3.3-3.fc38.noarch 2/2
Installed:
python3-docker-5.0.3-3.fc38.noarch python3-websocket-client-1.3.3-3.fc38.noarch
Complete!
Original
$ cat > images.py << _EOF
import docker client=docker.DockerClient(base_url='unix:/run/user/1000/podman/podman.sock') print(client.images.list(all=True))
_EOF
Check
$ cat > images.py << _EOF
import docker
client=docker.DockerClient(base_url='unix:/run/user/1000/podman/podman.sock')
print(client.images.list(all=True))
_EOF
Original
$ python images.py
[<Image: 'quay.io/rhatdan/myimage:latest'>, <Image: 'k8s.gcr.io/pause:3.5'>]
Check
$ python images.py
[<Image: 'quay.io/rhatdan/myimage:latest'>, <Image: 'localhost/podman-pause:4.5.1-1685123899'>]
Original
$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock
Check
$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock
Original
$ cat > images.py << _EOF
import docker
client=docker.from_env()
print(client.images.list(all=True))
_EOF
Check
$ cat > images.py << _EOF
import docker
client=docker.from_env()
print(client.images.list(all=True))
_EOF
Original
$ python images.py
Check
$ python images.py
[<Image: 'quay.io/rhatdan/myimage:latest'>, <Image: 'localhost/podman-pause:4.5.1-1685123899'>, <Image: 'registry.access.redhat.com/ubi8-init:latest'>, <Image: 'localhost/mysystemd:latest'>, <Image: 'quay.io/podman/stable:latest'>]
Original
$ sudo dnf install -y python-podman
Last metadata expiration check: 0:27:40 ago on Sun 19 Jun 2022 02:14:49 PM EDT. Dependencies resolved.
…
Installed:
python3-podman-3:4.0.0-1.fc36.noarch
Complete!
Check
$ sudo dnf install -y python-podman
[sudo] password for user:
Last metadata expiration check: 0:16:11 ago on Sat 24 Jun 2023 03:43:07 PM JST.
Dependencies resolved.
================================================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
================================================================================================================================================================================================================================================================================
Installing:
python3-podman noarch 3:4.5.1-1.fc38 updates 209 k
Installing dependencies:
python3-pyxdg noarch 0.27-7.fc38 fedora 134 k
python3-toml noarch 0.10.2-11.fc38 fedora 56 k
Transaction Summary
================================================================================================================================================================================================================================================================================
Install 3 Packages
Total download size: 400 k
Installed size: 1.4 M
Downloading Packages:
(1/3): python3-toml-0.10.2-11.fc38.noarch.rpm 174 kB/s | 56 kB 00:00
(2/3): python3-pyxdg-0.27-7.fc38.noarch.rpm 346 kB/s | 134 kB 00:00
(3/3): python3-podman-4.5.1-1.fc38.noarch.rpm 455 kB/s | 209 kB 00:00
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 107 kB/s | 400 kB 00:03
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-toml-0.10.2-11.fc38.noarch 1/3
Installing : python3-pyxdg-0.27-7.fc38.noarch 2/3
Installing : python3-podman-3:4.5.1-1.fc38.noarch 3/3
Running scriptlet: python3-podman-3:4.5.1-1.fc38.noarch 3/3
Verifying : python3-pyxdg-0.27-7.fc38.noarch 1/3
Verifying : python3-toml-0.10.2-11.fc38.noarch 2/3
Verifying : python3-podman-3:4.5.1-1.fc38.noarch 3/3
Installed:
python3-podman-3:4.5.1-1.fc38.noarch python3-pyxdg-0.27-7.fc38.noarch python3-toml-0.10.2-11.fc38.noarch
Complete!
Original
$ cat > podman-images.py << _EOF
import podman
client=podman.PodmanClient()
print(client.images.list())
_EOF
Check
$ cat > podman-images.py << _EOF
import podman
client=podman.PodmanClient()
print(client.images.list())
_EOF
Original
$ python podman-images.py
[<Image: 'quay.io/rhatdan/myimage:latest'>, <Image: 'k8s.gcr.io/pause:3.5'>]
Check
$ python podman-images.py
[<Image: 'quay.io/rhatdan/myimage:latest'>, <Image: 'localhost/podman-pause:4.5.1-1685123899'>
Original
$ cat >> podman-images.py << _EOF
for i in client.pods.list():
print(i.attrs)
_EOF
Check
$ cat >> podman-images.py << _EOF
for i in client.pods.list():
print(i.attrs)
_EOF
Original
$ python podman-images.py
[<Image: 'quay.io/rhatdan/myimage:latest'>, <Image: 'k8s.gcr.io/pause:3.5'>] {'Cgroup': 'user.slice', 'Containers': [{'Id':
➥ 'f8679839c25729eb422d38e505ae3a4b7ffe18942e2f77a997bd388e0f52313e',
➥ 'Names': '116291543d56-infra', 'Status': 'configured'}], 'Created':
➥ '2021-12-14T06:44:04.56055485-05:00', 'Id':
'116291543d5691c597132ec73a428f29f2c1f71a65fdfbaca17eb5440a5d47f6', ➥ 'InfraId':
'f8679839c25729eb422d38e505ae3a4b7ffe18942e2f77a997bd388e0f52313e', ➥ 'Name': 'mypod', 'Namespace': '', 'Networks': None, 'Status':
➥ 'Created', 'Labels': {}}
Check
$ python podman-images.py
[<Image: 'quay.io/rhatdan/myimage:latest'>, <Image: 'localhost/podman-pause:4.5.1-1685123899'>]
{'Cgroup': 'user.slice', 'Containers': [{'Id': 'eada551c04a382a16278f1c1fc89bbf13d0097c272b85b9d13442bd1f851f3d9', 'Names': '3695aae563b8-infra', 'Status': 'created'}], 'Created': '2023-06-24T15:39:04.02905947+09:00', 'Id': '3695aae563b8f63f2b1e779101c5fa781b67246e4fd5e16c4282b0f39f5b0f36', 'InfraId': 'eada551c04a382a16278f1c1fc89bbf13d0097c272b85b9d13442bd1f851f3d9', 'Name': 'mypod', 'Namespace': '', 'Networks': [], 'Status': 'Created', 'Labels': {}}
{'Cgroup': 'user.slice', 'Containers': [{'Id': '5dcc3621e958cc53e467226227c7d9991e88571d07a071e39d3cee0040a358b2', 'Names': 'myapp-pod-myapp', 'Status': 'running'}, {'Id': '7e8f17c9545db2ca57955289cc3d2841ffb9c4aa92c0c918253e6d75fa23ffd7', 'Names': 'aed736ef12a9-infra', 'Status': 'running'}], 'Created': '2023-06-24T09:23:07.868262655+09:00', 'Id': 'aed736ef12a9629417e95a3d60a5cdfd022a463b880c3257bf506448887b0b14', 'InfraId': '7e8f17c9545db2ca57955289cc3d2841ffb9c4aa92c0c918253e6d75fa23ffd7', 'Name': 'myapp-pod', 'Namespace': '', 'Networks': ['podman-default-kube-network'], 'Status': 'Running', 'Labels': {'app': 'myapp-pod'}}
Original
$ sudo dnf -y install docker-compose
Check
$ sudo dnf -y install docker-compose
[sudo] password for user:
Last metadata expiration check: 2:15:20 ago on Sat 24 Jun 2023 03:43:07 PM JST.
Dependencies resolved.
================================================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
================================================================================================================================================================================================================================================================================
Installing:
docker-compose noarch 1.29.2-7.fc38 fedora 338 k
Installing dependencies:
libsodium aarch64 1.0.18-11.fc38 fedora 120 k
python3-attrs noarch 22.2.0-2.fc38 fedora 124 k
python3-bcrypt aarch64 3.2.2-5.fc38 fedora 41 k
python3-cached_property noarch 1.5.2-9.fc38 fedora 20 k
python3-certifi noarch 2022.09.24-2.fc38 fedora 15 k
python3-chardet noarch 5.1.0-2.fc38 fedora 303 k
python3-click noarch 8.1.3-2.fc38 fedora 238 k
python3-docker+ssh noarch 5.0.3-3.fc38 fedora 8.9 k
python3-docker-pycreds noarch 0.4.0-15.fc38 fedora 28 k
python3-dockerpty noarch 0.4.1-27.fc38 updates 39 k
python3-docopt noarch 0.6.2-25.fc38 fedora 35 k
python3-dotenv noarch 0.21.1-2.fc38 fedora 53 k
python3-jsonschema noarch 4.17.3-2.fc38 fedora 201 k
python3-paramiko noarch 3.1.0-1.fc38 fedora 397 k
python3-pynacl aarch64 1.5.0-2.fc38 fedora 141 k
python3-pyrsistent aarch64 0.19.3-2.fc38 fedora 140 k
python3-texttable noarch 1.6.4-4.fc38 fedora 27 k
Installing weak dependencies:
python3-dotenv+cli noarch 0.21.1-2.fc38 fedora 9.4 k
Transaction Summary
================================================================================================================================================================================================================================================================================
Install 19 Packages
Total download size: 2.2 M
Installed size: 9.6 M
Downloading Packages:
(1/19): libsodium-1.0.18-11.fc38.aarch64.rpm 357 kB/s | 120 kB 00:00
(2/19): python3-attrs-22.2.0-2.fc38.noarch.rpm 305 kB/s | 124 kB 00:00
(3/19): docker-compose-1.29.2-7.fc38.noarch.rpm 734 kB/s | 338 kB 00:00
(4/19): python3-bcrypt-3.2.2-5.fc38.aarch64.rpm 333 kB/s | 41 kB 00:00
(5/19): python3-cached_property-1.5.2-9.fc38.noarch.rpm 367 kB/s | 20 kB 00:00
(6/19): python3-certifi-2022.09.24-2.fc38.noarch.rpm 217 kB/s | 15 kB 00:00
(7/19): python3-docker+ssh-5.0.3-3.fc38.noarch.rpm 64 kB/s | 8.9 kB 00:00
(8/19): python3-chardet-5.1.0-2.fc38.noarch.rpm 1.3 MB/s | 303 kB 00:00
(9/19): python3-docker-pycreds-0.4.0-15.fc38.noarch.rpm 423 kB/s | 28 kB 00:00
(10/19): python3-click-8.1.3-2.fc38.noarch.rpm 844 kB/s | 238 kB 00:00
(11/19): python3-docopt-0.6.2-25.fc38.noarch.rpm 390 kB/s | 35 kB 00:00
(12/19): python3-dotenv+cli-0.21.1-2.fc38.noarch.rpm 134 kB/s | 9.4 kB 00:00
(13/19): python3-dotenv-0.21.1-2.fc38.noarch.rpm 634 kB/s | 53 kB 00:00
(14/19): python3-jsonschema-4.17.3-2.fc38.noarch.rpm 857 kB/s | 201 kB 00:00
(15/19): python3-pynacl-1.5.0-2.fc38.aarch64.rpm 605 kB/s | 141 kB 00:00
(16/19): python3-paramiko-3.1.0-1.fc38.noarch.rpm 1.2 MB/s | 397 kB 00:00
(17/19): python3-texttable-1.6.4-4.fc38.noarch.rpm 260 kB/s | 27 kB 00:00
(18/19): python3-pyrsistent-0.19.3-2.fc38.aarch64.rpm 801 kB/s | 140 kB 00:00
(19/19): python3-dockerpty-0.4.1-27.fc38.noarch.rpm 314 kB/s | 39 kB 00:00
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 425 kB/s | 2.2 MB 00:05
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-attrs-22.2.0-2.fc38.noarch 1/19
Installing : python3-dockerpty-0.4.1-27.fc38.noarch 2/19
Installing : python3-texttable-1.6.4-4.fc38.noarch 3/19
Installing : python3-pyrsistent-0.19.3-2.fc38.aarch64 4/19
Installing : python3-jsonschema-4.17.3-2.fc38.noarch 5/19
Installing : python3-docopt-0.6.2-25.fc38.noarch 6/19
Installing : python3-docker-pycreds-0.4.0-15.fc38.noarch 7/19
Installing : python3-click-8.1.3-2.fc38.noarch 8/19
Installing : python3-dotenv-0.21.1-2.fc38.noarch 9/19
Installing : python3-dotenv+cli-0.21.1-2.fc38.noarch 10/19
Installing : python3-chardet-5.1.0-2.fc38.noarch 11/19
Installing : python3-certifi-2022.09.24-2.fc38.noarch 12/19
Installing : python3-cached_property-1.5.2-9.fc38.noarch 13/19
Installing : python3-bcrypt-3.2.2-5.fc38.aarch64 14/19
Installing : libsodium-1.0.18-11.fc38.aarch64 15/19
Installing : python3-pynacl-1.5.0-2.fc38.aarch64 16/19
Installing : python3-paramiko-3.1.0-1.fc38.noarch 17/19
Installing : python3-docker+ssh-5.0.3-3.fc38.noarch 18/19
Installing : docker-compose-1.29.2-7.fc38.noarch 19/19
Running scriptlet: docker-compose-1.29.2-7.fc38.noarch 19/19
Verifying : docker-compose-1.29.2-7.fc38.noarch 1/19
Verifying : libsodium-1.0.18-11.fc38.aarch64 2/19
Verifying : python3-attrs-22.2.0-2.fc38.noarch 3/19
Verifying : python3-bcrypt-3.2.2-5.fc38.aarch64 4/19
Verifying : python3-cached_property-1.5.2-9.fc38.noarch 5/19
Verifying : python3-certifi-2022.09.24-2.fc38.noarch 6/19
Verifying : python3-chardet-5.1.0-2.fc38.noarch 7/19
Verifying : python3-click-8.1.3-2.fc38.noarch 8/19
Verifying : python3-docker+ssh-5.0.3-3.fc38.noarch 9/19
Verifying : python3-docker-pycreds-0.4.0-15.fc38.noarch 10/19
Verifying : python3-docopt-0.6.2-25.fc38.noarch 11/19
Verifying : python3-dotenv+cli-0.21.1-2.fc38.noarch 12/19
Verifying : python3-dotenv-0.21.1-2.fc38.noarch 13/19
Verifying : python3-jsonschema-4.17.3-2.fc38.noarch 14/19
Verifying : python3-paramiko-3.1.0-1.fc38.noarch 15/19
Verifying : python3-pynacl-1.5.0-2.fc38.aarch64 16/19
Verifying : python3-pyrsistent-0.19.3-2.fc38.aarch64 17/19
Verifying : python3-texttable-1.6.4-4.fc38.noarch 18/19
Verifying : python3-dockerpty-0.4.1-27.fc38.noarch 19/19
Installed:
docker-compose-1.29.2-7.fc38.noarch libsodium-1.0.18-11.fc38.aarch64 python3-attrs-22.2.0-2.fc38.noarch python3-bcrypt-3.2.2-5.fc38.aarch64 python3-cached_property-1.5.2-9.fc38.noarch python3-certifi-2022.09.24-2.fc38.noarch
python3-chardet-5.1.0-2.fc38.noarch python3-click-8.1.3-2.fc38.noarch python3-docker+ssh-5.0.3-3.fc38.noarch python3-docker-pycreds-0.4.0-15.fc38.noarch python3-dockerpty-0.4.1-27.fc38.noarch python3-docopt-0.6.2-25.fc38.noarch
python3-dotenv-0.21.1-2.fc38.noarch python3-dotenv+cli-0.21.1-2.fc38.noarch python3-jsonschema-4.17.3-2.fc38.noarch python3-paramiko-3.1.0-1.fc38.noarch python3-pynacl-1.5.0-2.fc38.aarch64 python3-pyrsistent-0.19.3-2.fc38.aarch64
python3-texttable-1.6.4-4.fc38.noarch
Complete!
Original
$ systemctl -user start podman.socket
Check
$ systemctl --user start podman.socket
Original
$ curl -H "Content-Type: application/json" --unix-socket
➥ $XDG_RUNTIME_DIR/podman/podman.sock http://localhost/_ping
OK
Check
$ curl -H "Content-Type: application/json" --unix-socket $XDG_RUNTIME_DIR/podman/podman.sock http://localhost/_ping
OK
Original
$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock
Check
$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock
Original
$ mkdir example
$ mv ./html example
$ cd example
Check
$ mkdir example
$ mv ./html example
$ cd example
$ tree ../example/
../example/
└── html
└── index.html
Original
cat > docker-compose.yaml << _EOF
version: "3.7"
services:
myapp:
image: quay.io/rhatdan/myimage:latest
volumes:
- ./html:/var/www/html
- myapp_vol:/vol
ports:
- 8080:80
volumes:
myapp_vol: {}
_EOF
Check
$ cat > docker-compose.yaml << _EOF
version: "3.7"
services:
myapp:
image: quay.io/rhatdan/myimage:latest
volumes:
- ./html:/var/www/html
- myapp_vol:/vol
ports:
- 8080:80
volumes:
myapp_vol: {}
_EOF
Original
$ podman pod rm --all --force
$ podman rm --all --force
$ podman rmi --all --force
$ podman volume rm --all --force
Check
$ podman pod rm --all --force
$ podman rm --all --force
$ podman rmi --all --force
$ podman volume rm --all --force
Original
$ docker-compose up
Pulling myapp (quay.io/rhatdan/myimage:latest)...
59bf1c3509f3: Download complete
c059bfaa849c: Download complete
Creating example_myapp_1 …
done Attaching to example_myapp_1
Check
$ docker-compose up
Creating network "example_default" with the default driver
Creating volume "example_myapp_vol" with default driver
Pulling myapp (quay.io/rhatdan/myimage:latest)...
e3460238f8a1: Download complete
dfd8c625d022: Download complete
c7765172d3ce: Download complete
a1eadb69adf1: Download complete
2b782a9ad894: Download complete
2c7e43d88038: Download complete
Creating example_myapp_1 ... done
Attaching to example_myapp_1
myapp_1 | => sourcing 10-set-mpm.sh ...
myapp_1 | => sourcing 20-copy-config.sh ...
myapp_1 | => sourcing 40-ssl-certs.sh ...
myapp_1 | AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.89.1.2. Set the 'ServerName' directive globally to suppress this message
myapp_1 | [Sat Jun 24 09:21:28.560129 2023] [ssl:warn] [pid 1:tid 274978919680] AH01909: 10.89.1.2:8443:0 server certificate does NOT include an ID which matches the server name
myapp_1 | [Sat Jun 24 09:21:28.565651 2023] [:notice] [pid 1:tid 274978919680] ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/) configured.
myapp_1 | [Sat Jun 24 09:21:28.566205 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: APR compiled version="1.6.3"; loaded version="1.6.3"
myapp_1 | [Sat Jun 24 09:21:28.566501 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: PCRE compiled version="8.42 "; loaded version="8.42 2018-03-20"
myapp_1 | [Sat Jun 24 09:21:28.566782 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: LUA compiled version="Lua 5.3"
myapp_1 | [Sat Jun 24 09:21:28.566973 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: YAJL compiled version="2.1.0"
myapp_1 | [Sat Jun 24 09:21:28.567218 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: LIBXML compiled version="2.9.7"
myapp_1 | [Sat Jun 24 09:21:28.567740 2023] [:notice] [pid 1:tid 274978919680] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
myapp_1 | AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.89.1.2. Set the 'ServerName' directive globally to suppress this message
myapp_1 | [Sat Jun 24 09:21:28.761667 2023] [ssl:warn] [pid 1:tid 274978919680] AH01909: 10.89.1.2:8443:0 server certificate does NOT include an ID which matches the server name
myapp_1 | [Sat Jun 24 09:21:28.766917 2023] [lbmethod_heartbeat:notice] [pid 1:tid 274978919680] AH02282: No slotmem from mod_heartmonitor
myapp_1 | [Sat Jun 24 09:21:28.792603 2023] [mpm_event:notice] [pid 1:tid 274978919680] AH00489: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1g configured -- resuming normal operations
myapp_1 | [Sat Jun 24 09:21:28.793260 2023] [core:notice] [pid 1:tid 274978919680] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
Original
$ podman ps --format "{{.ID}} {{.Image}} {{.Ports}} {{.Names}}" 230fce823ff6 quay.io/rhatdan/myimage:latest 0.0.0.0:8080->80/tcp
➥ example_myapp_1
Check
$ podman ps --format "{{.ID}} {{.Image}} {{.Ports}} {{.Names}}"
aabeb0b89d79 quay.io/rhatdan/myimage:latest 0.0.0.0:8080->80/tcp example_myapp_1
Original
$ podman volume ls
DRIVER VOLUME NAME
local example_myapp_vol
Check
$ podman volume ls
DRIVER VOLUME NAME
local example_myapp_vol
Original
^CGracefully stopping... (press Ctrl+C again to force)
Stopping example_myapp_1 ... done
Check
^CGracefully stopping... (press Ctrl+C again to force)
Stopping example_myapp_1 ... done
Original
$ podman ps --format "{{.ID}} {{.Image}} {{.Ports}} {{.Names}}"
Check
$ podman ps --format "{{.ID}} {{.Image}} {{.Ports}} {{.Names}}"
- no return
Original
$ podman ps -a --format "{{.ID}} {{.Image}} {{.Ports}} {{.Names}}" 230fce823ff6 docker.io/library/alpine:latest 0.0.0.0:8080->80/tcp
➥ example_myapp_1
Check
$ podman ps -a --format "{{.ID}} {{.Image}} {{.Ports}} {{.Names}}"
aabeb0b89d79 quay.io/rhatdan/myimage:latest 0.0.0.0:8080->80/tcp example_myapp_1
Original
$ docker-compose down
Removing example_myapp_1 …
done Removing network example_default
Check
$ docker-compose down
Removing example_myapp_1 ... done
Removing network example_default
Original
$ podman ps -a --format "{{.ID}} {{.Image}} {{.Ports}} {{.Names}}"
Check
$ podman ps -a --format "{{.ID}} {{.Image}} {{.Ports}} {{.Names}}"
- no return
Original
$ podman --remote version
Client:
Version: 4.1.0
API Version: 4.1.0
Go Version: go1.18.2
Built: Sun Jun 19 07:35:42 2022
OS/Arch: linux/amd64
Server:
Version: 4.1.0
API Version: 4.1.0
Go Version: go1.18.2
Git Commit: a2b78b627f0a9deef83a5b5e4ecffc9cdb5a72b1-dirty
Built: Sun Jun 19 07:35:42 2022
OS/Arch: linux/amd64
Check
$ podman --remote version
Client: Podman Engine
Version: 4.5.1
API Version: 4.5.1
Go Version: go1.20.4
Built: Sat May 27 02:58:19 2023
OS/Arch: linux/arm64
Server: Podman Engine
Version: 4.5.1
API Version: 4.5.1
Go Version: go1.20.4
Built: Sat May 27 02:58:19 2023
OS/Arch: linux/arm64
Original
$ podman --remote run ubi8 echo hi
Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/
➥ 000-shortnames.conf) Trying to pull registry.access.redhat.com/ubi8:latest…
..
hi
Check
$ podman --remote run ubi8 echo hi
Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob sha256:dc5bc235f26ca2c3421620cfee5cefca8f0dde9a468be58b0bc5baa4350027e3
Copying config sha256:2ec437f86a60170aae0eddeffb366b09efb6e12e40b9a3f6ea8fb89ab466e50a
Writing manifest to image destination
Storing signatures
hi
Original
$ sudo systemctl enable --now -s sshd
Check
$ sudo systemctl enable --now sshd
Original
$ systemctl --user enable --now podman.socket
Check
$ systemctl --user enable --now podman.socket
Original
$ sudo loginctl enable-linger $USER
Check
$ sudo loginctl enable-linger $USER
Original
$ podman --remote info
Host:
arch: amd64
buildahVersion: 1.16.0-dev
…
Check
$ podman --remote info
host:
arch: arm64
buildahVersion: 1.30.0
cgroupControllers:
- cpu
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.7-2.fc38.aarch64
path: /usr/bin/conmon
version: 'conmon version 2.1.7, commit: '
cpuUtilization:
idlePercent: 99.45
systemPercent: 0.35
userPercent: 0.2
cpus: 2
databaseBackend: boltdb
distribution:
distribution: fedora
variant: server
version: "38"
eventLogger: journald
hostname: localhost.localdomain
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
kernel: 6.2.9-300.fc38.aarch64
linkmode: dynamic
logDriver: journald
memFree: 1846792192
memTotal: 4084936704
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.8.5-1.fc38.aarch64
path: /usr/bin/crun
version: |-
crun version 1.8.5
commit: b6f80f766c9a89eb7b1440c0a70ab287434b17ed
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
remoteSocket:
exists: true
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-12.fc38.aarch64
version: |-
slirp4netns version 1.2.0
commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 4084199424
swapTotal: 4084199424
uptime: 33h 2m 16.00s (Approximately 1.38 days)
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
- quay.io
store:
configFile: /home/user/.config/containers/storage.conf
containerStore:
number: 1
paused: 0
running: 0
stopped: 1
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/user/.local/share/containers/storage
graphRootAllocated: 6064963584
graphRootUsed: 3711930368
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 2
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/user/.local/share/containers/storage/volumes
version:
APIVersion: 4.5.1
Built: 1685123899
BuiltTime: Sat May 27 02:58:19 2023
GitCommit: ""
GoVersion: go1.20.4
Os: linux
OsArch: linux/arm64
Version: 4.5.1
Original
$ sudo systemctl enable --now podman.socket
Check
$ sudo systemctl enable --now podman.socket
[sudo] password for user:
Sorry, try again.
[sudo] password for user:
Created symlink /etc/systemd/system/sockets.target.wants/podman.socket → /usr/lib/systemd/system/podman.socket.
Original
$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/myuser/.ssh/id_ed25519):
Check
$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519):
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_ed25519
Your public key has been saved in /home/user/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:KWUDULrllYDzwSzdRNvixjrIqNRYiJQKtf873XzcY7Y user@localhost.localdomain
The key's randomart image is:
+--[ED25519 256]--+
| . .B++o |
| ...+.=o.+ |
|.o. .+..O . |
|= .. +.* + |
|o. .o o S |
| +o o + |
| o..o +. o . . |
|.. .o. o o = |
|. .. . oEo |
+----[SHA256]-----+
Original
$ ssh-copy-id myuser@192.168.122.1
passwd:
Check
Original
$ podman system connection add server1 --identity ~/.ssh/id_ed25519
➥ ssh://myuser@192.168.122.1/run/user/1000/podman/podman.sock
Check
Original
$ podman system connection list
Name Identity URI
system1* id_ed25519
➥ ssh://myuser@192.168.122.1/run/user/1000/podman/podman.sock
Check
$ podman system connection list
Name URI Identity Default
Original
$ podman --remote info
host
arch:
amd64 buildahVersion: 1.23.1
cgroupControllers:
...
Check
Original
$ podman run --rm ubi8 ls /proc/scsi
Check
$ podman run --rm ubi8 ls /proc/scsi
Original
$ podman run --rm --security-opt unmask=/proc/scsi ubi8 ls /proc/scsi
device_info
scsi
sg
Check
$ podman run --rm --security-opt unmask=/proc/scsi ubi8 ls /proc/scsi
device_info
scsi
sg
Original
$ podman run --rm --security-opt unmask=/proc/* ubi8 ls /proc/scsi
device_info
scsi
sg
Check
$ podman run --rm --security-opt unmask=/proc/* ubi8 ls /proc/scsi
device_info
scsi
sg
Original
$ man podman run
...
• unmask=ALL or /path/1:/path/2, or shell expanded paths (/proc/*):
Paths to unmask separated by a colon. If set to ALL, it will unmask all the
paths that are masked or made read only by default. The default masked
paths are /proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats,
/proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats,
/sys/firmware, and /sys/fs/selinux.
The default paths that are read only are /proc/asound, /proc/bus,
/proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup.
Check
$ man podman run
...
• unmask=ALL or /path/1:/path/2, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to ALL, it will unmask all the paths that are masked or made read-only by default. The default masked paths are /proc/acpi, /proc/kcore,
/proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux. The default paths that are read-only are /proc/asound, /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-
trigger, /sys/fs/cgroup.
Original
$ podman run --rm ubi8 ls /proc/sys/dev
cdrom
hpet
i915
mac_hid
raid
scsi
tty
Check
$ podman run --rm ubi8 ls /proc/sys/dev
cdrom
raid
scsi
tty
Original
$ podman run --rm --security-opt mask=/proc/sys/dev ubi8 ls /proc/sys/dev
Check
$ podman run --rm --security-opt mask=/proc/sys/dev ubi8 ls /proc/sys/dev
Original
$ podman run –rm ubi8 cat /proc/self/mountinfo
...
1628 1610 0:5 /null /proc/kcore rw,nosuid –
➥ devtmpfs devtmpfs rw,seclabel,size=4096k,
➥ nr_inodes=1048576,mode=755,inode64 ❶
...
1620 1595 0:86 / /sys/firmware ro,relatime - tmpfs tmpfs ❷
rw,context="system_u:object_r:container_file_t:s0:c406,c915",size=0k,uid=32
➥ 67,gid=3267,inode64
...
Check
$ podman run --rm ubi8 cat /proc/self/mountinfo
595 501 0:54 / / rw,relatime - overlay overlay rw,context="system_u:object_r:container_file_t:s0:c682,c817",lowerdir=/home/user/.local/share/containers/storage/overlay/l/3NPR6U7YUHQZFCQJ2GWFWBFNAN,upperdir=/home/user/.local/share/containers/storage/overlay/85ed05ff02d92a5832492d080ef9a9c2d74f102c475e650d41683e87cf0d5bac/diff,workdir=/home/user/.local/share/containers/storage/overlay/85ed05ff02d92a5832492d080ef9a9c2d74f102c475e650d41683e87cf0d5bac/work,volatile,userxattr
596 595 0:59 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
597 595 0:60 / /dev rw,nosuid - tmpfs tmpfs rw,context="system_u:object_r:container_file_t:s0:c682,c817",size=65536k,mode=755,uid=1000,gid=1000,inode64
598 595 0:61 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs rw,seclabel
599 597 0:62 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,context="system_u:object_r:container_file_t:s0:c682,c817",gid=524292,mode=620,ptmxmode=666
600 597 0:58 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw,seclabel
601 595 0:55 /containers/overlay-containers/8be7c615703fd46078a618a6c1647e99a0362df202e95f486e1e321fa2af651a/userdata/.containerenv /run/.containerenv rw,nosuid,nodev,relatime - tmpfs tmpfs rw,seclabel,size=398916k,nr_inodes=99729,mode=700,uid=1000,gid=1000,inode64
602 595 0:55 /containers/overlay-containers/8be7c615703fd46078a618a6c1647e99a0362df202e95f486e1e321fa2af651a/userdata/run/secrets /run/secrets rw,nosuid,nodev,relatime - tmpfs tmpfs rw,seclabel,size=398916k,nr_inodes=99729,mode=700,uid=1000,gid=1000,inode64
603 595 0:55 /containers/overlay-containers/8be7c615703fd46078a618a6c1647e99a0362df202e95f486e1e321fa2af651a/userdata/hostname /etc/hostname rw,nosuid,nodev,relatime - tmpfs tmpfs rw,seclabel,size=398916k,nr_inodes=99729,mode=700,uid=1000,gid=1000,inode64
604 595 0:55 /containers/overlay-containers/8be7c615703fd46078a618a6c1647e99a0362df202e95f486e1e321fa2af651a/userdata/resolv.conf /etc/resolv.conf rw,nosuid,nodev,relatime - tmpfs tmpfs rw,seclabel,size=398916k,nr_inodes=99729,mode=700,uid=1000,gid=1000,inode64
605 595 0:55 /containers/overlay-containers/8be7c615703fd46078a618a6c1647e99a0362df202e95f486e1e321fa2af651a/userdata/hosts /etc/hosts rw,nosuid,nodev,relatime - tmpfs tmpfs rw,seclabel,size=398916k,nr_inodes=99729,mode=700,uid=1000,gid=1000,inode64
606 597 0:53 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,context="system_u:object_r:container_file_t:s0:c682,c817",size=64000k,uid=1000,gid=1000,inode64
607 598 0:28 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - cgroup2 cgroup2 rw,seclabel,nsdelegate,memory_recursiveprot
608 597 0:5 /null /dev/null rw,nosuid,noexec - devtmpfs devtmpfs rw,seclabel,size=4096k,nr_inodes=485153,mode=755,inode64
609 597 0:5 /zero /dev/zero rw,nosuid,noexec - devtmpfs devtmpfs rw,seclabel,size=4096k,nr_inodes=485153,mode=755,inode64
610 597 0:5 /full /dev/full rw,nosuid,noexec - devtmpfs devtmpfs rw,seclabel,size=4096k,nr_inodes=485153,mode=755,inode64
611 597 0:5 /tty /dev/tty rw,nosuid,noexec - devtmpfs devtmpfs rw,seclabel,size=4096k,nr_inodes=485153,mode=755,inode64
612 597 0:5 /random /dev/random rw,nosuid,noexec - devtmpfs devtmpfs rw,seclabel,size=4096k,nr_inodes=485153,mode=755,inode64
613 597 0:5 /urandom /dev/urandom rw,nosuid,noexec - devtmpfs devtmpfs rw,seclabel,size=4096k,nr_inodes=485153,mode=755,inode64
614 596 0:63 / /proc/acpi ro,relatime - tmpfs tmpfs rw,context="system_u:object_r:container_file_t:s0:c682,c817",size=0k,uid=1000,gid=1000,inode64
615 596 0:5 /null /proc/kcore ro,nosuid - devtmpfs devtmpfs rw,seclabel,size=4096k,nr_inodes=485153,mode=755,inode64
616 596 0:5 /null /proc/keys ro,nosuid - devtmpfs devtmpfs rw,seclabel,size=4096k,nr_inodes=485153,mode=755,inode64
617 596 0:5 /null /proc/latency_stats ro,nosuid - devtmpfs devtmpfs rw,seclabel,size=4096k,nr_inodes=485153,mode=755,inode64
618 596 0:5 /null /proc/timer_list ro,nosuid - devtmpfs devtmpfs rw,seclabel,size=4096k,nr_inodes=485153,mode=755,inode64
619 596 0:64 / /proc/scsi ro,relatime - tmpfs tmpfs rw,context="system_u:object_r:container_file_t:s0:c682,c817",size=0k,uid=1000,gid=1000,inode64
620 598 0:65 / /sys/firmware ro,relatime - tmpfs tmpfs rw,context="system_u:object_r:container_file_t:s0:c682,c817",size=0k,uid=1000,gid=1000,inode64
621 598 0:66 / /sys/fs/selinux ro,relatime - tmpfs tmpfs rw,context="system_u:object_r:container_file_t:s0:c682,c817",size=0k,uid=1000,gid=1000,inode64
622 598 0:67 / /sys/dev/block ro,relatime - tmpfs tmpfs rw,context="system_u:object_r:container_file_t:s0:c682,c817",size=0k,uid=1000,gid=1000,inode64
623 596 0:59 /bus /proc/bus ro,nosuid,nodev,noexec,relatime - proc proc rw
624 596 0:59 /fs /proc/fs ro,nosuid,nodev,noexec,relatime - proc proc rw
625 596 0:59 /irq /proc/irq ro,nosuid,nodev,noexec,relatime - proc proc rw
626 596 0:59 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
627 596 0:59 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
Original
$ capsh --print
Current: = ❶
Bounding set = ❷
cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,
➥ cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,
➥ cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,
➥ cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,
➥ cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,
➥ cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,
➥ cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,
➥ cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
...
uid=3267(dwalsh) euid=3267(dwalsh) ❸
gid=3267(dwalsh)
Check
$ capsh --print
Current: =
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB:
Securebits: 00/0x0/1'b0 (no-new-privs=0)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=1000(user) euid=1000(user)
gid=1000(user)
groups=10(wheel),1000(user)
Guessed mode: UNCERTAIN (0)
Original
$ podman run --rm ubi8 capsh --print
Current: = ❶
cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,
➥ cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,
➥ cap_setfcap+eip
Bounding set = ❷
cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,
➥ cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,cap_setfcap
...
uid=0(root) ❸
gid=0(root)
groups=
Check
$ podman run --rm ubi8 capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,cap_setfcap=ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=
Guessed mode: UNCERTAIN (0)
Original
$ podman run --cap-drop CAP_NET_BIND_SERVICE ubi8 capsh --print
Current: = ❶
cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,
➥ cap_setuid,cap_setpcap,cap_sys_chroot,cap_setfcap+eip
Bounding set = ❷
cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,
➥ cap_setuid,cap_setpcap,cap_sys_chroot,cap_setfcap
Check
$ podman run --cap-drop CAP_NET_BIND_SERVICE ubi8 capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_sys_chroot,cap_setfcap=ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_sys_chroot,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_bind_service,!cap_net_broadcast,!cap_net_admin,!cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=
Guessed mode: UNCERTAIN (0)
Original
$ podman run --cap-drop all ubi8 capsh --print
Current: =
Bounding set =
Check
$ podman run --cap-drop all ubi8 capsh --print
Current: =
Bounding set =
Ambient set =
Current IAB: !cap_chown,!cap_dac_override,!cap_dac_read_search,!cap_fowner,!cap_fsetid,!cap_kill,!cap_setgid,!cap_setuid,!cap_setpcap,!cap_linux_immutable,!cap_net_bind_service,!cap_net_broadcast,!cap_net_admin,!cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_chroot,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=
Guessed mode: UNCERTAIN (0)
Original
$ podman run --cap-add CAP_NET_RAW ubi8 capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,
➥ cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_
➥ sys_chroot,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,
➥ cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_
➥ sys_chroot,cap_setfcap
...
Check
$ podman run --cap-add CAP_NET_RAW ubi8 capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_setfcap=ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=
Guessed mode: UNCERTAIN (0)
Original
$ podman run --cap-drop=all --cap-add CAP_NET_RAW ubi8 capsh --print
Current: = cap_net_raw+eip
Bounding set =cap_net_raw
…
Check
$ podman run --cap-drop=all --cap-add CAP_NET_RAW ubi8 capsh --print
Current: cap_net_raw=ep
Bounding set =cap_net_raw
Ambient set =
Current IAB: !cap_chown,!cap_dac_override,!cap_dac_read_search,!cap_fowner,!cap_fsetid,!cap_kill,!cap_setgid,!cap_setuid,!cap_setpcap,!cap_linux_immutable,!cap_net_bind_service,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_chroot,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=
Guessed mode: UNCERTAIN (0)
Original
# cat /etc/subuid
dwalsh:100000:65536
containers:2147483647:2147483648 ❶
# cat /etc/subgid
dwalsh:100000:65536
containers:2147483647:2147483648 ❶
Check
# vi /etc/subuid
containers:2147483647:2147483648
# vi /etc/subgid
containers:2147483647:2147483648
# cat /etc/subuid
user:524288:65536
containers:2147483647:2147483648
# cat /etc/subgid
user:524288:65536
containers:2147483647:2147483648
Original
# podman run --userns=auto ubi8 cat /proc/self/uid_map
0 2147483647 1024
Check/NG
# podman run --userns=auto ubi8 cat /proc/self/uid_map
Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob dc5bc235f26c skipped: already exists
Copying config 2ec437f86a done
Writing manifest to image destination
Storing signatures
ERRO[0005] Cannot find mappings for user "containers": no subuid ranges found for user "containers" in /etc/subuid
Error: creating container storage: not enough unused IDs in user namespace
Check/OK
# podman run --userns=auto ubi8 cat /proc/self/uid_map
0 2147483647 1024
Original
# podman run --user=2000 --userns=auto ubi8 cat /proc/self/uid_map
0 2147484671 2001
Check/NG
# podman run --user=2000 --userns=auto ubi8 cat /proc/self/uid_map
ERRO[0000] Cannot find mappings for user "containers": no subuid ranges found for user "containers" in /etc/subuid
Error: creating container storage: not enough unused IDs in user namespace
Check/OK
# podman run --user=2000 --userns=auto ubi8 cat /proc/self/uid_map
0 2147484671 2001
Original
# podman run --userns=auto:size=5000 ubi8 cat /proc/self/uid_map
0 2147486672 5000
Check/NG
# podman run --userns=auto:size=5000 ubi8 cat /proc/self/uid_map
ERRO[0000] Cannot find mappings for user "containers": no subuid ranges found for user "containers" in /etc/subuid
Error: creating container storage: not enough unused IDs in user namespace
Check/OK
# podman run --userns=auto:size=5000 ubi8 cat /proc/self/uid_map
0 2147491672 5000
Original
# podman run --rm --userns=auto ubi8 cat /proc/self/uid_map
0 2147491672 1024
# podman run --rm --userns=auto ubi8 cat /proc/self/uid_map
0 2147491672 1024
Check/NG
# podman run --rm --userns=auto ubi8 cat /proc/self/uid_map
ERRO[0000] Cannot find mappings for user "containers": no subuid ranges found for user "containers" in /etc/subuid
Error: creating container storage: not enough unused IDs in user namespace
# podman run --rm --userns=auto ubi8 cat /proc/self/uid_map
ERRO[0000] Cannot find mappings for user "containers": no subuid ranges found for user "containers" in /etc/subuid
Error: creating container storage: not enough unused IDs in user namespace
Check/OK
# podman run --rm --userns=auto ubi8 cat /proc/self/uid_map
0 2147496672 1024
Original
# podman run --rm ubi8 capsh --print | grep Current
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,
➥ cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,
➥ cap_setfcap+eip
# podman run --rm --userns=auto ubi8 capsh --print | grep Current
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,
➥ cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,
➥ cap_setfcap+eip
Check/NG
# podman run --rm ubi8 capsh --print | grep Current
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,cap_setfcap=ep
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
# podman run --rm --userns=auto ubi8 capsh --print | grep Current
ERRO[0000] Cannot find mappings for user "containers": no subuid ranges found for user "containers" in /etc/subuid
Error: creating container storage: not enough unused IDs in user namespace
Check/OK
# podman run --rm ubi8 capsh --print | grep Current
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,cap_setfcap=ep
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
# podman run --rm --userns=auto ubi8 capsh --print | grep Current
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,cap_setfcap=ep
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Original
# podman run --rm --userns=auto:size=5000 ubi8 chown 6000 /etc/motd
chown: changing ownership of '/etc/motd': Invalid argument
Check/NG
# podman run --rm --userns=auto:size=5000 ubi8 chown 6000 /etc/motd
ERRO[0000] Cannot find mappings for user "containers": no subuid ranges found for user "containers" in /etc/subuid
Error: creating container storage: not enough unused IDs in user namespace
Check/OK
# podman run --rm --userns=auto:size=5000 ubi8 chown 6000 /etc/motd
chown: changing ownership of '/etc/motd': Invalid argument
Original
# podman run --rm --userns=auto:size=5000 ubi8 chown 4000 /etc/motd
Check/NG
# podman run --rm --userns=auto:size=5000 ubi8 chown 4000 /etc/motd
ERRO[0000] Cannot find mappings for user "containers": no subuid ranges found for user "containers" in /etc/subuid
Error: creating container storage: not enough unused IDs in user namespace
Check/OK
# podman run --rm --userns=auto:size=5000 ubi8 chown 4000 /etc/motd
Original
$ podman run --userns=auto ubi8 cat /proc/self/uid_map
0 1 1024
$ podman run --userns=auto ubi8 cat /proc/self/uid_map
0 1025 1024
Check
$ podman run --userns=auto ubi8 cat /proc/self/uid_map
0 1 1024
$ podman run --userns=auto ubi8 cat /proc/self/uid_map
0 1025 1024
Original
$ podman run --rm ubi8 cat /proc/self/uid_map
0 3267 1
1 100000 65536
Check
$ podman run --rm ubi8 cat /proc/self/uid_map
0 1000 1
1 524288 65536
Original
# mkdir /mnt/test
# ls -ld /mnt/test
drwxr-xr-x. 2 root root 6 Feb 8 16:23 /mnt/test ❶
# podman run --rm -v /mnt/test:/mnt/test --userns=auto ubi8 ls -ld /mnt/test
drwxr-xr-x. 2 nobody nobody 6 Feb 8 21:23 /mnt/test ❷
# podman run --rm -v /mnt/test:/mnt/test:Z --userns=auto ubi8 touch /mnt/test
touch: setting times of '/mnt/test':
➥ Permission denied
Check/NG
# mkdir /mnt/test
# ls -ld /mnt/test
drwxr-xr-x. 2 root root 6 Jun 25 05:56 /mnt/test
# podman run --rm -v /mnt/test:/mnt/test --userns=auto ubi8 ls -ld /mnt/test
ERRO[0000] Cannot find mappings for user "containers": no subuid ranges found for user "containers" in /etc/subuid
Error: creating container storage: not enough unused IDs in user namespace
# podman run --rm -v /mnt/test:/mnt/test:Z --userns=auto ubi8 touch /mnt/test
ERRO[0000] Cannot find mappings for user "containers": no subuid ranges found for user "containers" in /etc/subuid
Error: creating container storage: not enough unused IDs in user namespace
Check/OK
# mkdir /mnt/test
# ls -ld /mnt/test
drwxr-xr-x 2 root root 4096 Jun 28 14:56 /mnt/test
# podman run --rm -v /mnt/test:/mnt/test --userns=auto ubi8 ls -ld /mnt/test
drwxr-xr-x 2 nobody nobody 4096 Jun 28 05:56 /mnt/test
# podman run --rm -v /mnt/test:/mnt/test:Z --userns=auto ubi8 touch /mnt/test
touch: setting times of '/mnt/test': Permission denie
Original
# ls -ld /mnt/test
drwxr-xr-x. 2 root root 6 Feb 8 16:38 /mnt/test
# podman run --rm -v /mnt/test:/mnt/test:Z,U
➥ --userns=auto ubi8 touch /mnt/test/test1 ❶
# ls -ld /mnt/test
drwxr-xr-x. 2 2147503960 2147503960
➥ 19 Feb 8 16:38 /mnt/test
Check/NG
# ls -ld /mnt/test
drwxr-xr-x. 2 root root 6 Jun 25 05:56 /mnt/test
# podman run --rm -v /mnt/test:/mnt/test:Z,U --userns=auto ubi8 touch /mnt/test/test1
Check/OK
# ls -ld /mnt/test
drwxr-xr-x. 2 root root 6 Jun 25 05:56 /mnt/test
# podman run --rm -v /mnt/test:/mnt/test:Z,U --userns=auto ubi8 touch /mnt/test/test1
# ls -ld /mnt/test
drwxr-xr-x. 2 2147483647 2147483647 19 Jun 25 17:30 /mnt/test
Original
# chown -R root:root /mnt/test ❶
# podman run --rm -v /mnt/test:/mnt/test:idmap,Z
➥ --userns=auto ubi8 ls -ld /mnt/test ❷
drwxr-xr-x. 2 root root 31 Feb 9 11:56 /mnt/test
# podman run --rm -v /mnt/test:/mnt/test:idmap,Z
➥ --userns=auto ubi8 touch /mnt/test/test ❸
# ls -l /mnt/test ❹
total 0
-rw-r--r--. 1 root root 0 Feb 9 06:57 test
-rw-r--r--. 1 root root 0 Feb 8 17:02 test1
Check/OK
# chown -R root:root /mnt/test
# podman run --rm -v /mnt/test:/mnt/test:idmap,Z --userns=auto ubi8 ls -ld /mnt/test
drwxr-xr-x. 2 root root 19 Jun 25 08:30 /mnt/test
# podman run --rm -v /mnt/test:/mnt/test:idmap,Z --userns=auto ubi8 touch /mnt/test/test
# podman run --rm -v /mnt/test:/mnt/test:idmap,Z --userns=auto ubi8 touch /mnt/test/test
# ls -l /mnt/test
total 0
-rw-r--r--. 1 root root 0 Jun 25 17:34 test
-rw-r--r--. 1 root root 0 Jun 25 17:30 test1
Original
$ podman run --rm ubi8 find /proc -maxdepth 1
➥ -type d -regex ".*/[0-9]*" ❶
/proc/1
$ podman run --rm --pid=host ubi8 find
➥ /proc -maxdepth 1 -type d -regex ".*/[0-9]*" ❷
/proc/1
/proc/2
/proc/3
/proc/4
...
Check
$ podman run --rm ubi8 find /proc -maxdepth 1 -type d -regex ".*/[0-9]*"
/proc/1
$ podman run --rm --pid=host ubi8 find /proc -maxdepth 1 -type d -regex ".*/[0-9]*"
/proc/1
/proc/2
/proc/3
/proc/4
/proc/5
/proc/6
/proc/8
/proc/10
/proc/12
/proc/13
/proc/14
/proc/15
/proc/16
/proc/17
/proc/19
/proc/20
/proc/21
/proc/22
/proc/24
/proc/25
/proc/26
/proc/27
/proc/28
/proc/29
/proc/30
/proc/31
/proc/32
/proc/33
/proc/34
/proc/35
/proc/36
/proc/37
/proc/38
/proc/39
/proc/40
/proc/41
/proc/42
/proc/43
/proc/44
/proc/53
/proc/60
/proc/61
/proc/62
/proc/63
/proc/64
/proc/65
/proc/66
/proc/71
/proc/77
/proc/78
/proc/214
/proc/217
/proc/220
/proc/223
/proc/442
/proc/462
/proc/463
/proc/464
/proc/465
/proc/466
/proc/467
/proc/468
/proc/469
/proc/470
/proc/471
/proc/549
/proc/565
/proc/638
/proc/639
/proc/651
/proc/652
/proc/653
/proc/655
/proc/657
/proc/661
/proc/662
/proc/687
/proc/692
/proc/697
/proc/698
/proc/699
/proc/700
/proc/706
/proc/710
/proc/721
/proc/722
/proc/729
/proc/731
/proc/732
/proc/739
/proc/755
/proc/763
/proc/771
/proc/772
/proc/773
/proc/774
/proc/964
/proc/966
/proc/1405
/proc/1406
/proc/3606
/proc/3610
/proc/3611
/proc/5493
/proc/5495
/proc/5508
/proc/5572
/proc/5573
/proc/13713
/proc/13717
/proc/13718
/proc/19306
/proc/35152
/proc/35153
/proc/39184
/proc/44461
/proc/47424
/proc/55450
/proc/58311
/proc/61115
/proc/63783
/proc/63880
/proc/65035
/proc/65685
/proc/65718
/proc/66676
/proc/66709
/proc/66710
/proc/66851
/proc/66853
/proc/66912
/proc/67356
/proc/67454
/proc/67455
/proc/67471
/proc/67474
/proc/67476
Original
$ podman network create net1
net1
$ podman network create net2
net2
Check
$ podman network create net1
net1
$ podman network create net2
net2
Original
$ podman run -d --network net1 --name
➥ cnet1 ubi8 sleep 1000
74ce5b2396f77fce8c499b121aeb8731f1e1b22e363a6a72d243487cf93a5897
$ podman run --network net1 alpine
➥ ping -c 1 cnet1
PING cnet1 (10.89.0.4): 56 data bytes
64 bytes from 10.89.0.4: seq=0 ttl=42 time=0.077 ms
Check
$ podman run -d --network net1 --name cnet1 ubi8 sleep 1000
4092ef5f05c9df3381e4c84f169e63b61d8bff491360a1c2f01fb7537a0883b1
$ podman run --network net1 alpine ping -c 1 cnet1
PING cnet1 (10.89.0.2): 56 data bytes
64 bytes from 10.89.0.2: seq=0 ttl=42 time=0.057 ms
--- cnet1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.057/0.057/0.057 ms
Original
$ podman run --rm alpine ping -c 1 cnet1
ping: bad address 'cnet1'
$ podman run alpine ping -c 1 10.89.0.4
PING 10.89.0.4 (10.89.0.4): 56 data bytes
64 bytes from 10.89.0.4: seq=0 ttl=42 time=0.073 ms
Check/NG
$ podman run --rm alpine ping -c 1 cnet1
ping: bad address 'cnet1'
$ podman run alpine ping -c 1 10.89.0.2
PING 10.89.0.2 (10.89.0.2): 56 data bytes
--- 10.89.0.2 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
Check/OK
# podman run --rm alpine ping -c 1 cnet1
ping: bad address 'cnet1'
# podman run alpine ping -c 1 10.89.0.2
PING 10.89.0.2 (10.89.0.2): 56 data bytes
64 bytes from 10.89.0.2: seq=0 ttl=42 time=0.094 ms
--- 10.89.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.094/0.094/0.094 ms
- Must be run as root.
Original
$ podman run --rm --network net2 alpine ping -c 1 cnet1
ping: bad address 'cnet1'
Check
$ podman run --rm --network net2 alpine ping -c 1 cnet1
ping: bad address 'cnet1'
Original
$ podman run -d --rm --name ipc1 ubi8 bash
➥ -c "touch /dev/shm/ipc1; sleep 1000"
93df44264dd4b87d24f59dfffb92a6a0b6359bc5bcf94213d5e38499a10d3f3e
$ podman run --rm ubi8 ls /dev/shm
$ podman run --rm --ipc=container:ipc1 ubi8 ls /dev/shm
ipc1
Check
$ podman run -d --rm --name ipc1 ubi8 bash -c "touch /dev/shm/ipc1; sleep 1000"
c9f31b97be551eac7be3dee33c28e44b28475beb977d621c3b54eea686f84e15
$ podman run --rm ubi8 ls /dev/shm
$ podman run --rm --ipc=container:ipc1 ubi8 ls /dev/shm
ipc1
Original
$ podman run --rm ubi8 cat /proc/self/attr/current
system_u:system_r:container_t:s0:c694,c944
$ podman run --rm --privileged ubi8 cat /proc/self/attr/current
unconfined_u:system_r:spc_t:s0
Check/NG
$ podman run --rm ubi8 cat /proc/self/attr/current
cat: /proc/self/attr/current: Invalid argument
$ podman run --rm --privileged ubi8 cat /proc/self/attr/current
cat: /proc/self/attr/current: Invalid argument
Check/OK
$ podman run --rm ubi8 cat /proc/self/attr/current
system_u:system_r:container_t:s0:c243,c996
$ podman run --rm --privileged ubi8 cat /proc/self/attr/current
unconfined_u:system_r:spc_t:s0
Original
$ podman run --rm ubi8 ls -Z /
system_u:object_r:container_file_t:s0:c88,c191 bin
system_u:object_r:container_file_t:s0:c88,c191 boot
system_u:object_r:container_file_t:s0:c88,c191 dev
system_u:object_r:container_file_t:s0:c88,c191 etc
system_u:object_r:container_file_t:s0:c88,c191 home
system_u:object_r:container_file_t:s0:c88,c191 lib
…
Check/OK
$ podman run --rm ubi8 ls -Z /
system_u:object_r:container_file_t:s0:c438,c733 bin
system_u:object_r:container_file_t:s0:c438,c733 boot
system_u:object_r:container_file_t:s0:c438,c733 dev
system_u:object_r:container_file_t:s0:c438,c733 etc
system_u:object_r:container_file_t:s0:c438,c733 home
system_u:object_r:container_file_t:s0:c438,c733 lib
system_u:object_r:container_file_t:s0:c438,c733 lib64
system_u:object_r:container_file_t:s0:c438,c733 lost+found
system_u:object_r:container_file_t:s0:c438,c733 media
system_u:object_r:container_file_t:s0:c438,c733 mnt
system_u:object_r:container_file_t:s0:c438,c733 opt
system_u:object_r:proc_t:s0 proc
system_u:object_r:container_file_t:s0:c438,c733 root
system_u:object_r:container_file_t:s0:c438,c733 run
system_u:object_r:container_file_t:s0:c438,c733 sbin
system_u:object_r:container_file_t:s0:c438,c733 srv
system_u:object_r:sysfs_t:s0 sys
system_u:object_r:container_file_t:s0:c438,c733 tmp
system_u:object_r:container_file_t:s0:c438,c733 usr
system_u:object_r:container_file_t:s0:c438,c733 var
Original
$ ls -1Z $HOME/.ssh/
unconfined_u:object_r:ssh_home_t:s0 authorized_keys
unconfined_u:object_r:ssh_home_t:s0 authorized_keys2
unconfined_u:object_r:ssh_home_t:s0 config
…
Check
$ ls -1Z $HOME/.ssh/
unconfined_u:object_r:ssh_home_t:s0 id_ed25519
unconfined_u:object_r:ssh_home_t:s0 id_ed25519.pub
Original
$ podman run -v $HOME/.ssh:/.ssh ubi8 ls /.ssh
ls: cannot open directory '/.ssh': Permission denied
Check
$ podman run -v $HOME/.ssh:/.ssh ubi8 ls /.ssh
ls: cannot open directory '/.ssh': Permission denied
Original
$ mkdir foo
$ ls -Zd foo
unconfined_u:object_r:user_home_t:s0 foo
$ podman run -v ./foo:/foo ubi8 touch /foo/bar
touch: cannot touch '/foo/bar': Permission denied
$ podman run --privileged -v ./foo:/foo ubi8 touch
➥ /foo/bar
$ ls -Z foo
unconfined_u:object_r:user_home_t:s0 bar
$ rm foo/bar
$ podman run -v ./foo:/foo:Z ubi8 touch /foo/bar
$ ls -Z ./foo
system_u:object_r:container_file_t:s0:c454,c510 bar
Check
$ mkdir foo
$ ls -Zd foo
unconfined_u:object_r:user_home_t:s0 foo
$ podman run -v ./foo:/foo ubi8 touch /foo/bar
touch: cannot touch '/foo/bar': Permission denied
$ podman run --privileged -v ./foo:/foo ubi8 touch /foo/bar
$ ls -Z foo
unconfined_u:object_r:user_home_t:s0 bar
$ rm foo/bar
$ podman run -v ./foo:/foo:Z ubi8 touch /foo/bar
$ ls -Z ./foo
system_u:object_r:container_file_t:s0:c199,c225 bar
Original
$ podman run --rm ubi8 cat /proc/self/attr/current
System_u:system_r:container_t:s0:c648,c1009
$ podman run --rm ubi8 cat /proc/self/attr/current
system_u:system_r:container_t:s0:c393,c834
Check
$ podman run --rm ubi8 cat /proc/self/attr/current
system_u:system_r:container_t:s0:c187,c651
$ podman run --rm ubi8 cat /proc/self/attr/current
system_u:system_r:container_t:s0:c35,c604
Original
$ ls -Z ./foo
system_u:object_r:container_file_t:s0:c454,c510 bar
$ podman run -v ./foo:/foo ubi8 touch /foo/bar
touch: cannot touch '/foo/bar': Permission denied
$ podman run --security-opt label=level:s0:c454,c510
➥ -v ./foo:/foo ubi8 touch /foo/bar
Check
$ ls -Z ./foo
system_u:object_r:container_file_t:s0:c199,c225 bar
$ podman run -v ./foo:/foo ubi8 touch /foo/bar
touch: cannot touch '/foo/bar': Permission denied
$ podman run --security-opt label=level:s0:c199,c225 -v ./foo:/foo ubi8 touch /foo/bar
Original
$ podman run -v ./foo:/foo:z ubi8 touch /foo/bar
$ ls -Z foo/
system_u:object_r:container_file_t:s0 bar
$ podman run --rm -v ./foo:/foo ubi8 touch /foo/bar
Check
$ podman run -v ./foo:/foo:z ubi8 touch /foo/bar
$ ls -Z foo/
system_u:object_r:container_file_t:s0 bar
$ podman run --rm -v ./foo:/foo ubi8 touch /foo/bar
Original
$ podman run --rm --security-opt label=disable ubi8 cat
➥ /proc/self/attr/current
unconfined_u:system_r:spc_t:s0
$ podman run --rm -v $HOME/.ssh:/ssh --security-opt label=disable ubi8 ls /ssh
authorized_keys
authorized_keys2
config
fedora_rsa
fedora_rsa.pub
…
Check
$ podman run --rm --security-opt label=disable ubi8 cat /proc/self/attr/current
unconfined_u:system_r:spc_t:s0
$ podman run --rm -v $HOME/.ssh:/ssh --security-opt label=disable ubi8 ls /ssh
id_ed25519
id_ed25519.pub
Original
$ sed '/mkdir/d' /usr/share/containers
➥ /seccomp.json > /tmp/seccomp.json
$ diff /usr/share/containers/seccomp.json/
➥ tmp/seccomp.json
249,250d248
< "mkdir",
< "mkdirat",
$ podman run --rm --security-opt seccomp=/
➥ tmp/seccomp.json ubi8 mkdir /foo
mkdir: cannot create directory '/foo': Function not implemented
$ podman run --rm ubi8 mkdir /foo
Check
$ sed '/mkdir/d' /usr/share/containers/seccomp.json > /tmp/seccomp.json
$ diff /usr/share/containers/seccomp.json/ tmp/seccomp.json
diff: /usr/share/containers/seccomp.json/: Not a directory
diff: tmp/seccomp.json: No such file or directory
$ diff /usr/share/containers/seccomp.json /tmp/seccomp.json
253,254d252
< "mkdir",
< "mkdirat",
$ podman run --rm --security-opt seccomp=/tmp/seccomp.json ubi8 mkdir /foo
mkdir: cannot create directory '/foo': Function not implemented
$ podman run --rm ubi8 mkdir /foo
Original
# ls -l /run/docker.sock
srw-rw----. 1 root docker 0 Jun 13 14:54 /run/docker.sock
Check
# docker version
Client:
Version: 20.10.23
API version: 1.41
Go version: go1.20rc3
Git commit: %{shortcommit_cli}
Built: Sun Jan 29 17:23:30 2023
OS/Arch: linux/arm64
Context: default
Experimental: true
Server:
Engine:
Version: 20.10.23
API version: 1.41 (minimum version 1.12)
Go version: go1.20rc3
Git commit: %{shortcommit_moby}
Built: Sun Jan 29 17:23:30 2023
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.6.19
GitCommit:
runc:
Version: 1.1.7
GitCommit:
docker-init:
Version: 0.19.0
GitCommit:
# ls -l /run/docker.sock
srw-rw----. 1 root docker 0 Jul 5 14:07 /run/docker.sock
Original
$ docker run registry.access.redhat.com/ubi8-micro echo hi
Unable to find image 'registry.access.redhat.com/ubi8-micro:latest' locally|
latest: Pulling from ubi8-micro
4f4fb700ef54: Pull complete
b6d5e0581b2f: Pull complete
Digest: sha256:a519ab06c0287085c352af0d2b84f2a2b257d2afb2e554b8d38a076cd6205b48
Status: Downloaded newer image for registry.access.redhat.com/
ubi8-micro:latest
hi
Check
$ sudo usermod -aG docker user
$ id
uid=1000(user) gid=1000(user) groups=1000(user),10(wheel),986(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ docker run registry.access.redhat.com/ubi8-micro echo hi
Unable to find image 'registry.access.redhat.com/ubi8-micro:latest' locally
latest: Pulling from ubi8-micro
83c12733586f: Pull complete
Digest: sha256:443db9a646aaf9374f95d266ba0c8656a52d70d0ffcc386a782cea28fa32e55d
Status: Downloaded newer image for registry.access.redhat.com/ubi8-micro:latest
hi
Original
$ docker run -ti --name hack -v /:/host --privileged registry.access.redhat.com/ubi8-micro chroot /host
# cat /etc/shadow
...
Check
$ docker run -ti --name hack -v /:/host --privileged registry.access.redhat.com/ubi8-micro chroot /host
sh-5.2# cat /etc/shadow
root:$y$j9T$Q6bmAy1crYZjJOfXedx7vkUF$LW9kNWQA3yLBVvMwVQkMJzcZGCNtOjpgEt34tz5xHi9::0:99999:7:::
bin:*:19378:0:99999:7:::
daemon:*:19378:0:99999:7:::
adm:*:19378:0:99999:7:::
lp:*:19378:0:99999:7:::
sync:*:19378:0:99999:7:::
shutdown:*:19378:0:99999:7:::
halt:*:19378:0:99999:7:::
mail:*:19378:0:99999:7:::
operator:*:19378:0:99999:7:::
games:*:19378:0:99999:7:::
ftp:*:19378:0:99999:7:::
nobody:*:19378:0:99999:7:::
dbus:!!:19460::::::
tss:!!:19460::::::
systemd-network:!*:19460::::::
systemd-oom:!*:19460::::::
systemd-resolve:!*:19460::::::
polkitd:!!:19460::::::
chrony:!!:19460::::::
clevis:!!:19460::::::
rpc:!!:19460:0:99999:7:::
rpcuser:!!:19460::::::
unbound:!!:19460::::::
cockpit-ws:!!:19460::::::
cockpit-wsinstance:!!:19460::::::
abrt:!!:19460::::::
setroubleshoot:!!:19460::::::
sshd:!!:19460::::::
dnsmasq:!!:19460::::::
tcpdump:!!:19460::::::
systemd-coredump:!*:19460::::::
systemd-timesync:!*:19460::::::
user:$y$j9T$EiJM2vo5MFIyUSoH3yjg51$eKoExF2zY3o5Lg4lXdKTFyh7BsaFOn4g8KOJz4vdZW6:19543:0:99999:7:::
Original
$ docker rm hack
hack
Check
$ docker rm hack
hack
Original
$ cat /proc/self/loginuid
3267
Check
$ cat /proc/self/loginuid
1000
Original
$ sudo cat /proc/self/loginuid
3267
Check
$ sudo cat /proc/self/loginuid
1000
Original
$ podman run -d ubi8-micro sleep 20
1c55b9cfa0cd20c36da4b606415e190a6c20cc868d3486981c7713d41ee9ea6a
$ podman inspect -l --format '{{ .State.Pid }}'
119394
$ cat /proc/119394/loginuid
3267
Check
$ podman run -d ubi8-micro sleep 20
07b7aae5afb22bcb639eb8027b62ce47bd6830bd4cf3da5e058a823483bc38a2
$ podman inspect -l --format '{{ .State.Pid }}'
459562
$ cat /proc/459562/loginuid
1000
Original
$ docker run -d registry.access.redhat.com/ubi8-micro sleep 20
df2302cf8c6385df2b86ccd3429166e0d8dd0c9f0d0139e98e6354809a04080e
$ docker inspect df2302cf8c6 --format '{{ .State.Pid }}'
120022
$ cat /proc/120022/loginuid
4294967295
Check
$ docker run -d registry.access.redhat.com/ubi8-micro sleep 200
246cdeb5a07d4eb33599f78eeab2717f98a01005576dabf10b2aaa33955539ba
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
246cdeb5a07d registry.access.redhat.com/ubi8-micro "sleep 200" 5 seconds ago Up 5 seconds peaceful_matsumoto
$ docker inspect 246cdeb5a07d --format '{{ .State.Pid }}'
3406
$ cat /proc/3406/loginuid
429496729
Original
# ausearch -m USER_START
type=USER_START msg=audit(1651064687.963:315): pid=2579 uid=0 auid=3267
➥ ses=3 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open
➥ grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,
➥ pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring,pam_umask acct=
➥ "dwalsh" exe="/usr/libexec/gdm-session-worker" hostname=fedora addr=?
➥ terminal=/dev/tty2 res=success'UID="root" AUID="dwalsh"
Check
# ausearch -m USER_START
...
type=USER_START msg=audit(1688534559.269:846): pid=3522 uid=0 auid=1000 ses=7 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="user" exe="/usr/bin/login" hostname=localhost.localdomain addr=? terminal=/dev/tty1 res=success'
Original
# auditctl -w /etc/passwd -p wa -k passwd
Check
# auditctl -w /etc/passwd -p wa -k passwd
Original
# docker run --privileged -v /:/host registry.access.redhat.com/ubi8-
➥ micro:latest touch /host/etc/passwd
Check
# docker run --privileged -v /:/host registry.access.redhat.com/ubi8-micro:latest touch /host/etc/passwd
Original
# ausearch -k passwd -i
…
type=SYSCALL msg=audit(05/03/2022 08:24:52.885:464) : arch=x86_64
➥ syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x7ffef7a9ef75
➥ a2=O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK a3=0x1b6 items=2 ppid=6723
➥ pid=6743 auid=unset uid=root gid=root euid=root suid=root fsuid=root
➥ egid=root sgid=root fsgid=root tty=(none) ses=unset comm=touch
➥ exe=/usr/bin/coreutils
Check
# ausearch -k passwd -i
----
type=CONFIG_CHANGE msg=audit(07/05/2023 14:23:35.610:861) : auid=user ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key=passwd list=exit res=yes
Original
# podman run --privileged -v /:/host registry.access.redhat.com/
➥ ubi8-micro:latest touch /host/etc/passwd
Check
# podman run --privileged -v /:/host registry.access.redhat.com/ubi8-micro:latest touch /host/etc/passwd
Original
# ausearch -k passwd -i
…
type=SYSCALL msg=audit(05/03/2022 08:25:42.466:480) : arch=x86_64
➥ syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD
➥ a1=0x7fff3d5aef59 a2=O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK a3=0x1b6
➥ items=2 ppid=6978 pid=6986 auid=dwalsh uid=root gid=root euid=root
➥ suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1
➥ comm=touch exe=/usr/bin/coreutils
➥ subj=system_u:system_r:container_t:s0:c484,c845 key=passw
Check
# ausearch -k passwd -i
<no matches>
Original
$ echo "This is my secret" > /tmp/secret
$ podman secret create my_secret/tmp/secret
b5f27b90e9b3486fb5a78d1eb
$ podman run --rm --secret my_secret ubi8 cat /run/secrets/my_secret
This is my secret
Check
$ echo "This is my secret" > /tmp/secret
$ podman secret create my_secret /tmp/secret
3e771a42682c01b703a044a69
$ podman run --rm --secret my_secret ubi8 cat /run/secrets/my_secret
This is my secret
Original
$ podman run --secret my_secret,type=env --name secret_ctr ubi8 bash
➥ -c 'echo $my_secret'
This is my secret
Check
$ podman run --secret my_secret,type=env --name secret_ctr ubi8 bash -c 'echo $my_secret'
This is my secret
Original
$ podman commit secret_ctr secret_img
Getting image source signatures
Copying blob a9820c2af00a skipped: already exists
Copying blob 3d5ecee9360e skipped: already exists
Copying blob dc409efbefc4 done
Copying config 501812299f done
Writing manifest to image destination
Storing signatures
501812299f0c0cfbb032d144e6d2c2a41c5eadf229e7b76f6264ab74d9f6c069
$ podman image inspect secret_img --format
➥ '{{ .Config.Env }}'
[TERM=xterm container=oci PATH=/usr/local/sbin:/usr/local/
➥ bin:/usr/sbin:/usr/bin:/sbin:/bin]
Check
$ podman commit secret_ctr secret_img
Getting image source signatures
Copying blob 7cd83e46b222 skipped: already exists
Copying blob c6c82e02751c done
Copying config 571b949be4 done
Writing manifest to image destination
Storing signatures
571b949be478dcad036b8776e4bdd203d98c3a3dc66bb9f77afc927ae1e7ebfc
$ podman image inspect secret_img --format '{{ .Config.Env }}'
[foo=bar PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm container=oci]
Original
$ sudo podman image trust set -t reject docker.io
$ podman pull alpine
Trying to pull docker.io/library/alpine:latest…
Error: Source image rejected: Running image docker://alpine:latest
➥ is rejected by policy.
$ sudo podman image trust set -t accept
➥ docker.io/library
$ podman pull alpine
Trying to pull docker.io/library/alpine:latest…
Getting image source signatures
Copying blob 59bf1c3509f3 skipped: already exists
Copying config c059bfaa84 done
Writing manifest to image destination
Storing signatures
C059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
$ podman pull bitnami/nginx
Resolving "bitnami/nginx" using unqualified-search registries
➥ (/etc/containers/registries.conf.d/999-podman-machine.conf)
Trying to pull docker.io/bitnami/nginx:latest…
Error: Source image rejected: Running image docker://bitnami/nginx:latest
➥ is rejected by policy.
Check
$ sudo podman image trust set -t reject docker.io
$ podman pull alpine
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Error: copying system image from manifest list: Source image rejected: Running image docker://alpine:latest is rejected by policy.
$ sudo podman image trust set -t accept docker.io/library
$ podman pull alpine
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 8c6d1654570f done
Copying config 5053b247d7 done
Writing manifest to image destination
Storing signatures
5053b247d78b5e43b5543fec77c856ce70b8dc705d9f38336fa77736f25ff47c
$ podman pull bitnami/nginx
✔ docker.io/bitnami/nginx:latest
Trying to pull docker.io/bitnami/nginx:latest...
Error: copying system image from manifest list: Source image rejected: Running image docker://bitnami/nginx:latest is rejected by policy.
Check/Verify
$ podman pull bitnami/nginx
✔ docker.io/bitnami/nginx:latest
Trying to pull docker.io/bitnami/nginx:latest...
Getting image source signatures
Copying blob 704be0b7e16b done
Copying config 6400021ef4 done
Writing manifest to image destination
Storing signatures
6400021ef481e4d35c882d4e4af00392ac5c8a4c89c5980629be2c929b8ac037
$ podman rmi -a
Untagged: docker.io/library/alpine:latest
Untagged: docker.io/bitnami/nginx:latest
Deleted: 5053b247d78b5e43b5543fec77c856ce70b8dc705d9f38336fa77736f25ff47c
Deleted: 6400021ef481e4d35c882d4e4af00392ac5c8a4c89c5980629be2c929b8ac037
$ sudo podman image trust set --type=reject default
$ podman pull bitnami/nginx
Resolved "bitnami/nginx" as an alias (/home/user/.cache/containers/short-name-aliases.conf)
Trying to pull docker.io/bitnami/nginx:latest...
Error: copying system image from manifest list: Source image rejected: Running image docker://bitnami/nginx:latest is rejected by policy.
Original
$ cat /etc/containers/policy.json
{
"default": [
{
"type": "insecureAcceptAnything"
} ],
"transports": {
"docker": {
"docker.io": [
{
"type": "reject"
}
],
"docker.io/library": [
{
"type": "insecureAcceptAnything"
} ]
...
Check
$ cat /etc/containers/policy.json
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports": {
"docker": {
"docker.io": [
{
"type": "reject"
}
],
"docker.io/library": [
{
"type": "insecureAcceptAnything"
}
],
"registry.access.redhat.com": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"registry.redhat.io": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
]
},
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
}
}
}
Original
$ podman image trust show
TRANSPORT NAME TYPE ID STORE
all default accept
repository docker.io reject
repository docker.io/library accept
repository registry.access.redhat.com signed security@redhat.com https://access.redhat.com/webassets/docker/content/sigstore
repository registry.redhat.io signed security@redhat.com https://registry.redhat.io/containers/sigstore
docker-daemon accept
Check
$ podman image trust show
TRANSPORT NAME TYPE ID STORE
all default accept
repository docker.io reject
repository docker.io/library accept
repository registry.access.redhat.com signed security@redhat.com https://access.redhat.com/webassets/docker/content/sigstore
repository registry.redhat.io signed security@redhat.com https://registry.redhat.io/containers/sigstore
docker-daemon accept
Original
$ sudo podman image trust set --type=reject default
$ podman image trust show
TRANSPORT NAME TYPE ID STORE
all default reject
repository docker.io reject
repository docker.io/library accept
repository registry.access.redhat.com signed security@redhat.com https://access.redhat.com/webassets/docker/content/sigstore
repository registry.redhat.io signed security@redhat.com https://registry.redhat.io/containers/sigstore
docker-daemon accept
Check
$ sudo podman image trust set --type=reject default
$ podman image trust show
TRANSPORT NAME TYPE ID STORE
all default reject
repository docker.io reject
repository docker.io/library accept
repository registry.access.redhat.com signed security@redhat.com https://access.redhat.com/webassets/docker/content/sigstore
repository registry.redhat.io signed security@redhat.com https://registry.redhat.io/containers/sigstore
docker-daemon accept
Original
$ sudo cp /tmp/policy.json /etc/containers/policy.json
Check
Original
$ gpg --batch --passphrase '' --quick-gen-key dwalsh@redhat.com default
➥ default
Check
$ gpg --batch --passphrase '' --quick-gen-key dwalsh@redhat.com default default
gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/F12BEDF091DC738F1B54D130C612476C50BE1E7F.rev'
Original
$ sudo cp /etc/containers/registries.d/default.yaml
➥ /etc/containers/policy.json /tmp
Check
$ sudo cp /etc/containers/registries.d/default.yaml /etc/containers/policy.json /tmp
Original
$ sudo podman pull quay.io/rhatdan/myimage
Trying to pull quay.io/rhatdan/myimage:latest…
…
2c7e43d880382561ebae3fa06c7a1442d0da2912786d09ea9baaef87f73c29ae
$ podman login quay.io/rhatdan
Username: rhatdan
Password:
Login Succeeded!
$ sudo -E GNUPGHOME=$HOME/.gnupg \
podman push --tls-verify=false --sign-by dwalsh@redhat.com
➥ quay.io/rhatdan/myimage
…
Storing signatures
Check
$ sudo podman pull quay.io/rhatdan/myimage
Trying to pull quay.io/rhatdan/myimage:latest...
Getting image source signatures
Copying blob e3460238f8a1 done
Copying blob c7765172d3ce done
Copying blob 2b782a9ad894 done
Copying blob dfd8c625d022 done
Copying blob a1eadb69adf1 done
Copying config 2c7e43d880 done
Writing manifest to image destination
Storing signatures
WARNING: image platform (linux/amd64) does not match the expected platform (linux/arm64)
2c7e43d880382561ebae3fa06c7a1442d0da2912786d09ea9baaef87f73c29ae
$ podman login quay.io
Username: tnk4on
Password:
Login Succeeded!
$ sudo -E GNUPGHOME=$HOME/.gnupg \
podman push --tls-verify=false --sign-by dwalsh@redhat.com quay.io/tnk4on/myimage
Getting image source signatures
Copying blob 164d51196137 done
Copying blob 83310c7c677c done
Copying blob 8f26704f753c done
Copying blob 654b3bf1361e done
Copying blob e39c3abf0df9 done
Copying config 2c7e43d880 done
Writing manifest to image destination
Creating signature: Signing image using simple signing
Storing signatures
Original
$ sudo ls /var/lib/containers/sigstore/rhatdan/
'myimage@sha256=0460a9d13a806e124639b23e9d6ffa1e5773f7bef91469bee6ac88
➥ a4be213427'
Check
$ sudo ls /var/lib/containers/sigstore/tnk4on/
'myimage@sha256=d77349dc5bfc5d148c616dceffda82bf887c54599d9e7a779b6aae65c3a261bb'
Original
$ echo " sigstore: http://localhost:8000" | sudo tee --append /etc/containers/registries.d/default.yaml
Check
$ echo " sigstore: http://localhost:8000" | sudo tee --append /etc/containers/registries.d/default.yaml
Original
$ cd /var/lib/containers/sigstore && python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Check
$ cd /var/lib/containers/sigstore && python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Original
$ podman rmi quay.io/rhatdan/myimage
Untagged: quay.io/rhatdan/myimage:latest
Deleted: 2c7e43d880382561ebae3fa06c7a1442d0da2912786d09ea9baaef87f73c29ae
Check
$ podman rmi quay.io/rhatdan/myimage
Untagged: quay.io/rhatdan/myimage:latest
Deleted: 2c7e43d880382561ebae3fa06c7a1442d0da2912786d09ea9baaef87f73c29ae
Original
$ sudo podman image trust set -f /tmp/publickey.gpg quay.io/rhatdan
Check
$ sudo podman image trust set -f /tmp/publickey.gpg quay.io/tnk4on
Original
...
"transports": {
"docker": {
"quay.io/rhatdan": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/tmp/publickey.gpg"
}
],
...
Check
$ cat /etc/containers/policy.json
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports": {
"docker": {
"quay.io/rhatdan": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/tmp/publickey.gpg"
}
],
"registry.access.redhat.com": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"registry.redhat.io": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
]
},
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
}
}
}
Original
$ gpg --output /tmp/publickey.gpg --armor --export dwalsh@redhat.com
Check
$ gpg --output /tmp/publickey.gpg --armor --export dwalsh@redhat.com
$ ls /tmp/publickey.gpg
/tmp/publickey.gpg
Original
$ podman pull quay.io/rhatdan/myimage
Trying to pull quay.io/rhatdan/myimage:latest…
…
Writing manifest to image destination
Storing signatures
2c7e43d880382561ebae3fa06c7a1442d0da2912786d09ea9baaef87f73c29ae
Check
$ podman pull quay.io/tnk4on/myimage
Trying to pull quay.io/tnk4on/myimage:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob af9d47da3737 done
Copying blob 636c950b6c20 done
Copying blob 50b578ff3c5f done
Copying blob 5a34f7b8901c done
Copying blob 6a5765e16ecb done
Copying config 2c7e43d880 done
Writing manifest to image destination
Storing signatures
WARNING: image platform (linux/amd64) does not match the expected platform (linux/arm64)
2c7e43d880382561ebae3fa06c7a1442d0da2912786d09ea9baaef87f73c29ae
Check/Other terminal
$ cd /var/lib/containers/sigstore && python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
127.0.0.1 - - [02/Jul/2023 01:32:00] "GET /tnk4on/myimage@sha256=d77349dc5bfc5d148c616dceffda82bf887c54599d9e7a779b6aae65c3a261bb/signature-1 HTTP/1.1" 200 -
127.0.0.1 - - [02/Jul/2023 01:32:00] code 404, message File not found
127.0.0.1 - - [02/Jul/2023 01:32:00] "GET /tnk4on/myimage@sha256=d77349dc5bfc5d148c616dceffda82bf887c54599d9e7a779b6aae65c3a261bb/signature-2 HTTP/1.1" 404 -
Orignal
$ podman pull quay.io/rhatdan/podman
Trying to pull quay.io/rhatdan/podman:latest…
Error: Source image rejected: A signature was required,
➥ but no signature exists
Check
$ podman pull quay.io/tnk4on/test
Trying to pull quay.io/tnk4on/test:latest...
Error: copying system image from manifest list: Source image rejected: A signature was required, but no signature exists
Original
$ sudo cp /tmp/default.yaml /etc/containers/registries.d/default.yaml
$ sudo cp /tmp/policy.json /etc/containers/policy.json
Check
$ sudo cp /tmp/default.yaml /etc/containers/registries.d/default.yaml
$ sudo cp /tmp/policy.json /etc/containers/policy.json
Original
$ podman image mount ubi8
Error: cannot run command "podman image mount" in rootless mode, must
➥ execute `podman unshare` first
Check
$ podman image mount ubi8
Error: cannot run command "podman image mount" in rootless mode, must execute `podman unshare` first
Original
$ podman unshare
# podman image mount
# mnt=$(podman image mount ubi8)
# echo $mnt
/home/dwalsh/.local/share/containers/storage/overlay/05ddfb76c5eb2146646c70
➥ e20db21a35dfec2215f130ce8bd04fce530142cfbd/merged
# cd $mnt
# /usr/bin/find . -user root -perm -4000
./usr/libexec/dbus-1/dbus-daemon-launch-helper
./usr/bin/chage
./usr/bin/mount
./usr/bin/umount
./usr/bin/newgrp
./usr/bin/gpasswd
./usr/bin/passwd
./usr/bin/su
./usr/sbin/userhelper
./usr/sbin/unix_chkpwd
./usr/sbin/pam_timestamp_check
Check
$ podman unshare
# podman image mount
# mnt=$(podman image mount ubi8)
# echo $mnt
/home/user/.local/share/containers/storage/overlay/246bb60fb3b30b249c272ea533d6b7987239f9fb80f114acf4ed7ce9498af30c/merged
# cd $mnt
# /usr/bin/find . -user root -perm -4000
./usr/bin/chage
./usr/bin/gpasswd
./usr/bin/mount
./usr/bin/newgrp
./usr/bin/passwd
./usr/bin/su
./usr/bin/umount
./usr/libexec/dbus-1/dbus-daemon-launch-helper
./usr/sbin/pam_timestamp_check
./usr/sbin/unix_chkpwd
./usr/sbin/userhelper
Original
$ podman run --read-only ubi8 touch /foo
touch: cannot touch '/foo': Read-only file system
Check
$ podman run --read-only ubi8 touch /foo
touch: cannot touch '/foo': Read-only file system
Original
$ podman run --read-only ubi8 touch /run/foo
Check
$ podman run --read-only ubi8 touch /run/foo
Original
$ podman run --read-only-tmpfs=false --read-only ubi8 touch /run/foo
touch: cannot touch '/run/foo': Read-only file system
Check
$ podman run --read-only-tmpfs=false --read-only ubi8 touch /run/foo
touch: cannot touch '/run/foo': Read-only file system
Original
$ skopeo inspect docker://quay.io/rhatdan/myimage
{
"Name": "quay.io/rhatdan/myimage",
"Digest": "sha256:0460a9d13a806e124639b23e9d6ffa1e5773f7bef91469bee6ac88a4be213427",
"RepoTags": [
"1.0",
"latest"
],
...
Check
$ skopeo inspect docker://quay.io/rhatdan/myimage
{
"Name": "quay.io/rhatdan/myimage",
"Digest": "sha256:0460a9d13a806e124639b23e9d6ffa1e5773f7bef91469bee6ac88a4be213427",
"RepoTags": [
"1.0",
"latest"
],
"Created": "2021-09-08T11:06:49.167922944Z",
"DockerVersion": "",
"Labels": {
"architecture": "x86_64",
"build-date": "2021-08-05T06:23:13.478839",
"com.redhat.build-host": "cpt-1001.osbs.prod.upshift.rdu2.redhat.com",
"com.redhat.component": "httpd-24-container",
"com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
"description": "Apache httpd 2.4 available as container, is a powerful, efficient, and extensible web server. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Virtual hosting allows one Apache installation to serve many different Web sites.",
"distribution-scope": "public",
"io.k8s.description": "Apache httpd 2.4 available as container, is a powerful, efficient, and extensible web server. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Virtual hosting allows one Apache installation to serve many different Web sites.",
"io.k8s.display-name": "Apache httpd 2.4",
"io.openshift.expose-services": "8080:http,8443:https",
"io.openshift.s2i.scripts-url": "image:///usr/libexec/s2i",
"io.openshift.tags": "builder,httpd,httpd-24",
"io.s2i.scripts-url": "image:///usr/libexec/s2i",
"maintainer": "SoftwareCollections.org \u003csclorg@redhat.com\u003e",
"name": "ubi8/httpd-24",
"release": "152",
"summary": "Platform for running Apache httpd 2.4 or building httpd-based application",
"url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/httpd-24/images/1-152",
"usage": "s2i build https://github.com/sclorg/httpd-container.git --context-dir=examples/sample-test-app/ ubi8/httpd-24 sample-server",
"vcs-ref": "a90adf6894f1618e032e11f0bcaf23839daaf1c4",
"vcs-type": "git",
"vendor": "Red Hat, Inc.",
"version": "1"
},
"Architecture": "amd64",
"Os": "linux",
"Layers": [
"sha256:c7765172d3ce59f229d53f5c2a60346ad3922c29baa7ae19d31ef9866117d743",
"sha256:dfd8c625d0226c52da48ce402e79bc6e60a360d732bb7f6523c62cb714ec0a0d",
"sha256:2b782a9ad894d15e65ee92d0e294b8358cfc69d94bfd5b2cf8d5d286376a0f4a",
"sha256:a1eadb69adf1f7b62f76fc7bc2d7f8c28e6c03dc1f6024a4f9fd1329412efc89",
"sha256:e3460238f8a1f4698e1ec867ff96682f5d45debdd10e0503742fd15124d8bf5b"
],
"LayersData": [
{
"MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"Digest": "sha256:c7765172d3ce59f229d53f5c2a60346ad3922c29baa7ae19d31ef9866117d743",
"Size": 87672714,
"Annotations": null
},
{
"MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"Digest": "sha256:dfd8c625d0226c52da48ce402e79bc6e60a360d732bb7f6523c62cb714ec0a0d",
"Size": 1871,
"Annotations": null
},
{
"MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"Digest": "sha256:2b782a9ad894d15e65ee92d0e294b8358cfc69d94bfd5b2cf8d5d286376a0f4a",
"Size": 17981023,
"Annotations": null
},
{
"MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"Digest": "sha256:a1eadb69adf1f7b62f76fc7bc2d7f8c28e6c03dc1f6024a4f9fd1329412efc89",
"Size": 67332001,
"Annotations": null
},
{
"MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"Digest": "sha256:e3460238f8a1f4698e1ec867ff96682f5d45debdd10e0503742fd15124d8bf5b",
"Size": 15648,
"Annotations": null
}
],
"Env": [
"PATH=/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm",
"container=oci",
"HTTPD_CONFIGURATION_PATH=/opt/app-root/etc/httpd.d",
"STI_SCRIPTS_URL=image:///usr/libexec/s2i",
"HTTPD_VAR_RUN=/var/run/httpd",
"DESCRIPTION=Apache httpd 2.4 available as container, is a powerful, efficient, and extensible web server. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Virtual hosting allows one Apache installation to serve many different Web sites.",
"HTTPD_MAIN_CONF_MODULES_D_PATH=/etc/httpd/conf.modules.d",
"HTTPD_DATA_PATH=/var/www",
"APP_ROOT=/opt/app-root",
"HTTPD_TLS_CERT_PATH=/etc/httpd/tls",
"PLATFORM=el8",
"HOME=/opt/app-root/src",
"HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/",
"HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d",
"HTTPD_APP_ROOT=/opt/app-root",
"SUMMARY=Platform for running Apache httpd 2.4 or building httpd-based application",
"HTTPD_DATA_ORIG_PATH=/var/www",
"HTTPD_LOG_PATH=/var/log/httpd",
"HTTPD_VERSION=2.4",
"HTTPD_MAIN_CONF_PATH=/etc/httpd/conf",
"STI_SCRIPTS_PATH=/usr/libexec/s2i"
]
}
Original
$ skopeo copy docker://quay.io/rhatdan/myimage containers-storage:quay.io/rhatdan/myimage
Getting image source signatures
Copying blob dfd8c625d022 done
Copying blob e3460238f8a1 done
Copying blob a1eadb69adf1 done
Copying blob 2b782a9ad894 done
Copying blob c7765172d3ce done
Copying config 2c7e43d880 done
Writing manifest to image destination
Storing signatures
Check
$ skopeo copy docker://quay.io/rhatdan/myimage containers-storage:quay.io/rhatdan/myimage
INFO[0003] Image operating system mismatch: image uses OS "linux"+architecture "amd64", expecting one of "linux+arm64"
Getting image source signatures
Copying blob e3460238f8a1 skipped: already exists
Copying blob c7765172d3ce skipped: already exists
Copying blob 2b782a9ad894 skipped: already exists
Copying blob dfd8c625d022 skipped: already exists
Copying blob a1eadb69adf1 skipped: already exists
Copying config 2c7e43d880 done
Writing manifest to image destination
Storing signatures
$ podman rmi -a
Untagged: registry.access.redhat.com/ubi8:latest
Deleted: 4a95277e7dadaf1f5705c8023ada7488b6050cff33b7267091e68154ddaa3ce7
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
$ skopeo copy docker://quay.io/rhatdan/myimage containers-storage:quay.io/rhatdan/myimage
INFO[0004] Image operating system mismatch: image uses OS "linux"+architecture "amd64", expecting one of "linux+arm64"
Getting image source signatures
Copying blob e3460238f8a1 done
Copying blob c7765172d3ce done
Copying blob dfd8c625d022 done
Copying blob 2b782a9ad894 done
Copying blob a1eadb69adf1 done
Copying config 2c7e43d880 done
Writing manifest to image destination
Storing signatures
Original
$ buildah from ubi8-init
Resolved "ubi8-init" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8-init:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 0fa65fe5c23e done
Copying blob 04fdd1866203 done
Copying config 67ab454674 done
Writing manifest to image destination
Storing signatures
ubi8-init-working-container
Check
$ buildah from ubi8-init
Resolved "ubi8-init" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8-init:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 482a6b1febd5 done
Copying blob 46bcfdc97903 done
Copying config 80d7e3a110 done
Writing manifest to image destination
Storing signatures
ubi8-init-working-container
Original
$ buildah from ubi8-init
ubi8-init-working-container-1
Check
$ buildah from ubi8-init
ubi8-init-working-container-1
Original
$ buildah copy ubi8-init-working-container html/index.html /var/lib/www/html/
Check
$ buildah copy ubi8-init-working-container html/index.html /var/lib/www/html/
df913a0d240a2c1f535cab3b1e8227960eab980ce49f365628390c3d6dd88c09
Original
$ buildah run ubi8-init-working-container dnf -y install httpd
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
...
Complete!
Check
$ buildah run ubi8-init-working-container dnf -y install httpd
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Red Hat Universal Base Image 8 (RPMs) - BaseOS 625 kB/s | 612 kB 00:00
Red Hat Universal Base Image 8 (RPMs) - AppStream 2.6 MB/s | 3.0 MB 00:01
Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder 375 kB/s | 69 kB 00:00
Dependencies resolved.
================================================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
================================================================================================================================================================================================================================================================================
Installing:
httpd aarch64 2.4.37-56.module+el8.8.0+18758+b3a9c8da.6 ubi-8-appstream-rpms 1.4 M
Installing dependencies:
apr aarch64 1.6.3-12.el8 ubi-8-appstream-rpms 123 k
apr-util aarch64 1.6.1-6.el8_8.1 ubi-8-appstream-rpms 104 k
httpd-filesystem noarch 2.4.37-56.module+el8.8.0+18758+b3a9c8da.6 ubi-8-appstream-rpms 43 k
httpd-tools aarch64 2.4.37-56.module+el8.8.0+18758+b3a9c8da.6 ubi-8-appstream-rpms 109 k
mailcap noarch 2.1.48-3.el8 ubi-8-baseos-rpms 39 k
mod_http2 aarch64 1.15.7-8.module+el8.8.0+18751+b4557bca.3 ubi-8-appstream-rpms 147 k
redhat-logos-httpd noarch 84.5-1.el8 ubi-8-baseos-rpms 29 k
Installing weak dependencies:
apr-util-bdb aarch64 1.6.1-6.el8_8.1 ubi-8-appstream-rpms 25 k
apr-util-openssl aarch64 1.6.1-6.el8_8.1 ubi-8-appstream-rpms 27 k
Enabling module streams:
httpd 2.4
Transaction Summary
================================================================================================================================================================================================================================================================================
Install 10 Packages
Total download size: 2.0 M
Installed size: 10 M
Downloading Packages:
(1/10): mailcap-2.1.48-3.el8.noarch.rpm 459 kB/s | 39 kB 00:00
(2/10): redhat-logos-httpd-84.5-1.el8.noarch.rpm 289 kB/s | 29 kB 00:00
(3/10): apr-1.6.3-12.el8.aarch64.rpm 774 kB/s | 123 kB 00:00
(4/10): httpd-tools-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64.rpm 1.6 MB/s | 109 kB 00:00
(5/10): apr-util-bdb-1.6.1-6.el8_8.1.aarch64.rpm 726 kB/s | 25 kB 00:00
(6/10): apr-util-1.6.1-6.el8_8.1.aarch64.rpm 1.4 MB/s | 104 kB 00:00
(7/10): apr-util-openssl-1.6.1-6.el8_8.1.aarch64.rpm 435 kB/s | 27 kB 00:00
(8/10): httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.noarch.rpm 561 kB/s | 43 kB 00:00
(9/10): httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64.rpm 4.8 MB/s | 1.4 MB 00:00
(10/10): mod_http2-1.15.7-8.module+el8.8.0+18751+b4557bca.3.aarch64.rpm 1.0 MB/s | 147 kB 00:00
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 5.3 MB/s | 2.0 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : apr-1.6.3-12.el8.aarch64 1/10
Running scriptlet: apr-1.6.3-12.el8.aarch64 1/10
Installing : apr-util-bdb-1.6.1-6.el8_8.1.aarch64 2/10
Installing : apr-util-openssl-1.6.1-6.el8_8.1.aarch64 3/10
Installing : apr-util-1.6.1-6.el8_8.1.aarch64 4/10
Running scriptlet: apr-util-1.6.1-6.el8_8.1.aarch64 4/10
Installing : httpd-tools-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64 5/10
Running scriptlet: httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.noarch 6/10
Installing : httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.noarch 6/10
Installing : mailcap-2.1.48-3.el8.noarch 7/10
Installing : redhat-logos-httpd-84.5-1.el8.noarch 8/10
Installing : mod_http2-1.15.7-8.module+el8.8.0+18751+b4557bca.3.aarch64 9/10
Installing : httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64 10/10
Running scriptlet: httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64 10/10
Verifying : redhat-logos-httpd-84.5-1.el8.noarch 1/10
Verifying : mailcap-2.1.48-3.el8.noarch 2/10
Verifying : apr-1.6.3-12.el8.aarch64 3/10
Verifying : httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64 4/10
Verifying : httpd-tools-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64 5/10
Verifying : apr-util-1.6.1-6.el8_8.1.aarch64 6/10
Verifying : apr-util-bdb-1.6.1-6.el8_8.1.aarch64 7/10
Verifying : apr-util-openssl-1.6.1-6.el8_8.1.aarch64 8/10
Verifying : mod_http2-1.15.7-8.module+el8.8.0+18751+b4557bca.3.aarch64 9/10
Verifying : httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.noarch 10/10
Installed products updated.
Installed:
apr-1.6.3-12.el8.aarch64 apr-util-1.6.1-6.el8_8.1.aarch64 apr-util-bdb-1.6.1-6.el8_8.1.aarch64 apr-util-openssl-1.6.1-6.el8_8.1.aarch64
httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64 httpd-filesystem-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.noarch httpd-tools-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6.aarch64 mailcap-2.1.48-3.el8.noarch
mod_http2-1.15.7-8.module+el8.8.0+18751+b4557bca.3.aarch64 redhat-logos-httpd-84.5-1.el8.noarch
Complete!
Original
$ buildah run ubi8-init-working-container systemctl enable httpd.service
Check
$ buildah run ubi8-init-working-container systemctl enable httpd.service
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
Original
$ buildah unshare
# mnt=$(buildah mount ubi8-init-working-container)
# echo $mnt
/home/dwalsh/.local/share/containers/storage/overlay/1c1a4be69a564e398d3f89f53c67f5133e084d94c3ec853fa6b122add0287c02/merged
# grep dwalsh /etc/passwd >> $mnt/etc/passwd
# exit
Check
$ buildah unshare
# mnt=$(buildah mount ubi8-init-working-container)
# echo $mnt
/home/user/.local/share/containers/storage/overlay/f04cf2a128911f5e1bdfd32079ee42107e7f2b71f48c1ade1e956abdb830a248/merged
# grep user /etc/passwd >> $mnt/etc/passwd
# exit
exit
Original
$ buildah run ubi8-init-working-container grep dwalsh /etc/passwd
dwalsh:x:3267:3267:Daniel J Walsh:/home/dwalsh:/bin/bash
Check
$ buildah run ubi8-init-working-container grep user /etc/passwd
chrony:x:997:996:chrony system user:/var/lib/chrony:/sbin/nologin
clevis:x:996:995:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/usr/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
user:x:1000:1000::/home/user:/bin/bash
Original
$ buildah config --port=80 --volume=/var/lib/www/html ubi8-init-working-container
Check
$ buildah config --port=80 --volume=/var/lib/www/html ubi8-init-working-container
Original
$ buildah inspect --format '{{ .OCIv1.Config.ExposedPorts }} {{ .OCIv1.Config.Volumes}}' ubi8-init-working-container
map[80:{}] map[/var/lib/www/html:{}]
Check
$ buildah inspect --format '{{ .OCIv1.Config.ExposedPorts }} {{ .OCIv1.Config.Volumes}}' ubi8-init-working-container
map[80:{}] map[/var/lib/www/html:{}]
Original
$ buildah commit ubi8-init-working-container quay.io/rhatdan/myimage2
Getting image source signatures
Copying blob 486dcc5a5ac3 skipped: already exists
Copying blob f74e559f9f66 skipped: already exists
Copying blob 3220174136bb done
Copying config e73b22258d done
Writing manifest to image destination
Storing signatures
e73b22258d6a834d528f8fdab1215872d63b1d45199498b981f3a71349ca1468
Check
$ buildah commit ubi8-init-working-container quay.io/rhatdan/myimage2
Getting image source signatures
Copying blob 246bb60fb3b3 skipped: already exists
Copying blob 501f4230cc34 skipped: already exists
Copying blob be434d593cce done
Copying config 497b2af13b done
Writing manifest to image destination
Storing signatures
497b2af13b098c2bbfcb85c10937099ad3db9b1b9fe40faedd437b538e35c367
Original
$ buildah images
REPOSITORY TAG IMAGE ID CREATED SIZE
quay.io/rhatdan/myimage2 latest e73b22258d6a 53 seconds ago 262 MB
registry.access.redhat.com/ubi8-init latest 67ab454674c3 3 weeks ago 230 MB
Check
$ buildah images
REPOSITORY TAG IMAGE ID CREATED SIZE
quay.io/rhatdan/myimage2 latest 497b2af13b09 37 seconds ago 290 MB
registry.access.redhat.com/ubi8-init latest 80d7e3a11027 9 days ago 254 MB
Original
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
quay.io/rhatdan/myimage2 latest e73b22258d6a 2 minutes ago 262 MB
registry.access.redhat.com/ubi8-init latest 67ab454674c3 3 weeks ago 230 MB
Check
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
quay.io/rhatdan/myimage2 latest 497b2af13b09 About a minute ago 290 MB
registry.access.redhat.com/ubi8-init latest 80d7e3a11027 9 days ago 254 MB
Original
$ podman run quay.io/rhatdan/myimage2 grep dwalsh /etc/passwd
dwalsh:x:3267:3267:Daniel J Walsh:/home/dwalsh:/bin/bash
Check
$ podman run quay.io/rhatdan/myimage2 grep user /etc/passwd
Error: OCI runtime error: crun: mount `/home/user/.local/share/containers/storage/volumes/aff937f0b0325b63eb2769c984164285fdf4b2b425cc3f23e5ee11e2156c8511/_data` to `var/lib/www/html`: Not a directory
Original
$ buildah login quay.io
Username: rhatdan
Password:
Login Succeeded!
Check
$ buildah login quay.io
Username: tnk4on
Password:
Login Succeeded!
Original
$ cat myapp/Containerfile
FROM ubi8/httpd-24
COPY index.html /var/www/html/index.html
Check
mkdir myapp
$ cat > myapp/index.html << _EOF
<html>
<head>
</head>
<body>
<h1>Hello World</h1>
</body>
</html>
_EOF
$ cat > myapp/Containerfile << _EOF
FROM ubi8/httpd-24
COPY index.html /var/www/html/index.html
_EOF
Original
$ buildah build ./myapp
STEP 1/2: FROM ubi8/httpd-24
Resolved "ubi8/httpd-24" as an alias (/home/ori/.cache/containers/short-name-aliases.conf)
Trying to pull registry.access.redhat.com/ubi8/httpd-24:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 709e5f8cf41c done
Copying blob eefcf9658471 done
Copying blob 0fa65fe5c23e skipped: already exists
Copying config a7964b7281 done
Writing manifest to image destination
Storing signatures
STEP 2/2: COPY index.html /var/www/html/index.html
COMMIT
Getting image source signatures
Copying blob 486dcc5a5ac3 skipped: already exists
Copying blob c7649cc32711 skipped: already exists
Copying blob ab3cafb7b754 skipped: already exists
Copying blob 4b1c62bdec31 done
Copying config e19ad13cc8 done
Writing manifest to image destination
Storing signatures
--> e19ad13cc8f1
e19ad13cc8f193d716e65baaa26bcaa58c318e6d11a9dec5c523c09ff9d46c12
Check
$ buildah build ./myapp
STEP 1/2: FROM ubi8/httpd-24
✔ registry.access.redhat.com/ubi8/httpd-24:latest
Trying to pull registry.access.redhat.com/ubi8/httpd-24:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 46bcfdc97903 skipped: already exists
Copying blob 31cf2133e1af done
Copying blob c8b7ce9ed18f done
Copying config c7e2d3f054 done
Writing manifest to image destination
Storing signatures
STEP 2/2: COPY index.html /var/www/html/index.html
COMMIT
Getting image source signatures
Copying blob 246bb60fb3b3 skipped: already exists
Copying blob 3c9b9b8f5a65 skipped: already exists
Copying blob 6f7ce92aa6ff skipped: already exists
Copying blob 57f5d1d8d5f4 done
Copying config fd049048e5 done
Writing manifest to image destination
Storing signatures
--> fd049048e52e
fd049048e52e1220139fcd49822c5fd3423e03b60e4c40a698edd01317b429a8
Original
$ podman --runtime crun run --rm ubi8 echo hi
hi
Check
$ podman --runtime crun run --rm ubi8 echo hi
hi
Original
$ grep -iA 3 "Default OCI Runtime" /usr/share/containers/containers.conf
# Default OCI runtime
#
#runtime = "crun"
Check
$ grep -iA 3 "Default OCI Runtime" /usr/share/containers/containers.conf
# Default OCI runtime
#
#runtime = "crun"
Original
$ podman --runtime /usr/bin/runc run --rm ubi8 echo hi
hi
Check
$ podman --runtime /usr/bin/runc run --rm ubi8 echo hi
Error: no valid executable found for OCI runtime /usr/bin/runc: invalid argument
$ sudo dnf install runc
[sudo] password for user:
Last metadata expiration check: 1:10:08 ago on Sun 02 Jul 2023 11:49:38 PM JST.
Dependencies resolved.
================================================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
================================================================================================================================================================================================================================================================================
Installing:
runc aarch64 2:1.1.7-1.fc38 updates 2.8 M
Transaction Summary
================================================================================================================================================================================================================================================================================
Install 1 Package
Total download size: 2.8 M
Installed size: 10 M
Is this ok [y/N]: y
Downloading Packages:
runc-1.1.7-1.fc38.aarch64.rpm 970 kB/s | 2.8 MB 00:02
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 684 kB/s | 2.8 MB 00:04
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : runc-2:1.1.7-1.fc38.aarch64 1/1
Running scriptlet: runc-2:1.1.7-1.fc38.aarch64 1/1
Verifying : runc-2:1.1.7-1.fc38.aarch64 1/1
Installed:
runc-2:1.1.7-1.fc38.aarch64
Complete!
$ podman --runtime /usr/bin/runc run --rm ubi8 echo hi
hi
Original
$ cat > ~/.config/containers/containers.conf << EOF
[engine]
runtime="runc"
EOF
$ podman --help | grep -- runc
--runtime stringPath to the OCI-compatible binary used to run containers.
(default "runc")`
Check
$ cat > ~/.config/containers/containers.conf << EOF
[engine]
runtime="runc"
EOF
-bash: /home/user/.config/containers/containers.conf: No such file or directory
$ ls .config/
cni
$ mkdir -p ~/.config/containers
Original
$ du -s /usr/bin/runc /usr/bin/crun
10016 /usr/bin/runc
552 /usr/bin/crun
Check
$ du -s /usr/bin/runc /usr/bin/crun
10248 /usr/bin/runc
532 /usr/bin/crun
Original
$ grep -A 9 '^#kata' /usr/share/containers/containers.conf
#kata = [
# "/usr/bin/kata-runtime",
# "/usr/sbin/kata-runtime",
# "/usr/local/bin/kata-runtime",
# "/usr/local/sbin/kata-runtime",
# "/sbin/kata-runtime",
# "/bin/kata-runtime",
# "/usr/bin/kata-qemu",
# "/usr/bin/kata-fc",
#]
Check
$ grep -A 9 '^#kata' /usr/share/containers/containers.conf
#kata = [
# "/usr/bin/kata-runtime",
# "/usr/sbin/kata-runtime",
# "/usr/local/bin/kata-runtime",
# "/usr/local/sbin/kata-runtime",
# "/sbin/kata-runtime",
# "/bin/kata-runtime",
# "/usr/bin/kata-qemu",
# "/usr/bin/kata-fc",
#]
Original
% podman machine init
Downloading VM image: fedora-coreos-38.20230514.2.0-qemu.aarch64.qcow2.xz [=========>-------------] 252.2MiB / 587.9MiB (※1)
Downloading VM image: fedora-coreos-38.20230514.2.0-qemu.aarch64.qcow2.xz: done
Extracting compressed file (※2)
Image resized.
Machine init complete
To start your machine run:
podman machine start
Check
% podman machine init
Downloading VM image: fedora-coreos-38.20230625.2.0-qemu.aarch64.qcow2.xz [=====================>------------------------------------] 226.2MiB / 587.4MiB
Downloading VM image: fedora-coreos-38.20230625.2.0-qemu.aarch64.qcow2.xz: done
Extracting compressed file
Image resized.
Machine init complete
To start your machine run:
podman machine start
Original
% podman machine list
NAME VM TYPE CREATED LAST UP CPUS MEMORY DISK SIZE
podman-machine-default* qemu 2 minutes ago 2 minutes ago 1 2.147GB 107.4GB
Check
% podman machine list
NAME VM TYPE CREATED LAST UP CPUS MEMORY DISK SIZE
podman-machine-default qemu About a minute ago About a minute ago 1 2.147GB 107.4GB
Original
% podman system connection list
Name URI Identity Default
podman-machine-default ssh://core@localhost:56364/run/user/501/podman/podman.sock /Users/ori/.ssh/podman-machine-default true
podman-machine-default-root ssh://root@localhost:56364/run/podman/podman.sock /Users/ori/.ssh/podman-machine-default false
Check
% podman system connection list
Name URI Identity Default
podman-machine-default ssh://core@127.0.0.1:64113/run/user/501/podman/podman.sock /Users/shtanaka/.ssh/podman-machine-default false
podman-machine-default-root ssh://root@127.0.0.1:64113/run/podman/podman.sock /Users/shtanaka/.ssh/podman-machine-default true
Originla
% podman system connection default podman-machine-default-root
% podman system connection list
Name URI Identity Default
podman-machine-default ssh://core@localhost:56364/run/user/501/podman/podman.sock /Users/ori/.ssh/podman-machine-default false
podman-machine-default-root ssh://root@localhost:56364/run/podman/podman.sock /Users/ori/.ssh/podman-machine-default true
Check
% podman system connection default podman-machine-default-root
% podman system connection list
Name URI Identity Default
podman-machine-default ssh://core@127.0.0.1:64113/run/user/501/podman/podman.sock /Users/shtanaka/.ssh/podman-machine-default false
podman-machine-default-root ssh://root@127.0.0.1:64113/run/podman/podman.sock /Users/shtanaka/.ssh/podman-machine-default true
Original
$ podman system connection default podman-machine-default
Check
% podman system connection default podman-machine-default
% podman system connection list
Name URI Identity Default
podman-machine-default ssh://core@127.0.0.1:64113/run/user/501/podman/podman.sock /Users/shtanaka/.ssh/podman-machine-default true
podman-machine-default-root ssh://root@127.0.0.1:64113/run/podman/podman.sock /Users/shtanaka/.ssh/podman-machine-default false
% podman version
Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: Get "http://d/v4.4.1/libpod/_ping": dial unix ///var/folders/zb/g4m_k4dj331b5f_p_x_vdj2r0000gn/T/podman-run--1/podman/podman.sock: connect: no such file or directory
Check
% podman version
Error: failed to connect: dial tcp 127.0.0.1:64113: connect: connection refused
Original
% podman machine start
Starting machine "podman-machine-default"
Waiting for VM ...
Mounting volume... /Users:/Users
Mounting volume... /private:/private
Mounting volume... /var/folders:/var/folders
This machine is currently configured in rootless mode. If your containers
require root permissions (e.g. ports < 1024), or if you run into compatibility
issues with non-podman clients, you can switch using the following command:
podman machine set --rootful
API forwarding listening on: /Users/ori/.local/share/containers/podman/machine/podman-machine-default/podman.sock
The system helper service is not installed; the default Docker API socket
address can't be used by podman. If you would like to install it run the
following commands:
sudo /opt/homebrew/Cellar/podman@4.4.1/4.4.1/bin/podman-mac-helper install
podman machine stop; podman machine start
You can still connect Docker API clients by setting DOCKER_HOST using the
following command in your terminal session:
export DOCKER_HOST='unix:///Users/ori/.local/share/containers/podman/machine/podman-machine-default/podman.sock'
Machine "podman-machine-default" started successfully
Check
% podman machine start
Starting machine "podman-machine-default"
Waiting for VM ...
Mounting volume... /Users:/Users
Mounting volume... /private:/private
Mounting volume... /var/folders:/var/folders
This machine is currently configured in rootless mode. If your containers
require root permissions (e.g. ports < 1024), or if you run into compatibility
issues with non-podman clients, you can switch using the following command:
podman machine set --rootful
API forwarding listening on: /var/run/docker.sock
Docker API clients default to this address. You do not need to set DOCKER_HOST.
Machine "podman-machine-default" started successfully
Original
% podman version
Client: Podman Engine
Version: 4.4.1
API Version: 4.4.1
Go Version: go1.20.4
Git Commit: 34e8f3933242f2e566bbbbf343cf69b7d506c1cf
Built: Thu Feb 9 04:03:18 2023
OS/Arch: darwin/arm64
Server: Podman Engine
Version: 4.4.1
API Version: 4.4.1
Go Version: go1.19.5
Built: Fri Feb 17 19:25:38 2023
OS/Arch: linux/arm64
Check
% podman version
Client: Podman Engine
Version: 4.5.1
API Version: 4.5.1
Go Version: go1.20.4
Git Commit: 9eef30051c83f62816a1772a743e5f1271b196d7
Built: Sat May 27 00:10:12 2023
OS/Arch: darwin/arm64
Server: Podman Engine
Version: 4.5.1
API Version: 4.5.1
Go Version: go1.20.4
Built: Sat May 27 02:58:19 2023
OS/Arch: linux/arm64
Original
% podman machine stop
Check
% podman machine stop
Original
PS C:\Users\User> podman machine init
Downloading VM image: fedora-35.20211125-x86_64.tar.xz: done
Extracting compressed file
Importing operating system into WSL (this may take 5+ minutes on a new WSL
➥ install)...
Installing packages (this will take awhile)...
Fedora 35 - x86_64 5.5 MB/s | 79 MB 00:14
Complete!
Configuring system…
Generating public/private ed25519 key pair.
Machine init complete
To start your machine run:
podman machine start
Check/ja
PS C:\Users\shion> podman.exe machine init
Downloading VM image: fedora-podman-amd64-v37.0.45.tar.xz: done
Extracting compressed file
Importing operating system into WSL (this may take a few minutes on a new WSL install)...
インポート中です。この処理には数分かかることがあります。
この操作を正しく終了しました。
Configuring system...
Generating public/private ed25519 key pair.
Your identification has been saved in podman-machine-default
Your public key has been saved in podman-machine-default.pub
The key fingerprint is:
SHA256:0HnLStHi69m6iemW1lP8DoDDAfdfO9od4FqvitT3FYQ root@OneMix4S
The key's randomart image is:
+--[ED25519 256]--+
| . . |
| o o o . |
| o * o oE . |
| . = * + o. |
| + S.+ = .. |
| o =o= + ..|
| o+.=.o o .|
| +=o= o.o . |
| ++ B+ooo . |
+----[SHA256]-----+
Machine init complete
To start your machine run:
podman machine start
PS C:\Users\shion> wsl --list
Linux 用 Windows サブシステム ディストリビューション:
Ubuntu (既定)
fedoraremix
podman-machine-default
Check/en
PS C:\Users\shion> podman.exe machine init
Extracting compressed file
Importing operating system into WSL (this may take a few minutes on a new WSL install)...
Import in progress, this may take a few minutes.
The operation completed successfully.
Configuring system...
Generating public/private ed25519 key pair.
Your identification has been saved in podman-machine-default
Your public key has been saved in podman-machine-default.pub
The key fingerprint is:
SHA256:8nzP1Thwu8F8LlGeTiFDwz2m3ATdSgfMmGPbocNnvRE root@OneMix4S
The key's randomart image is:
+--[ED25519 256]--+
| .*=..|
| =+=Eo|
| oo**=o|
| ===+o|
| . S .++o=|
| + =.B.|
| o . @.o|
| . o ..B |
| o ...|
+----[SHA256]-----+
Machine init complete
To start your machine run:
podman machine start
Original
PS C:\Users\User> podman system connection ls
Name URI Identity
➥ Default
podman-machine-default ssh://user@localhost:57051..
➥ default true
podman-machine-default-root ssh://root@localhost:57051..
➥ default false
Check
PS C:\Users\shion> podman system connection ls
Name URI Identity Default
podman-machine-default ssh://user@127.0.0.1:56638/run/user/1000/podman/podman.sock C:\Users\shion\.ssh\podman-machine-default true
podman-machine-default-root ssh://root@127.0.0.1:56638/run/podman/podman.sock C:\Users\shion\.ssh\podman-machine-default false
Original
PS C:\Users\User> podman machine set --rootful
PS C:\Users\User> podman system connection ls
Name URI Identity
➥ Default
podman-machine-default ssh://user@localhost:57051..
➥ default false
podman-machine-default-root ssh://root@localhost:57051..
➥ default true
PS C:\Users\User> podman machine set --rootful=false
Check
PS C:\Users\shion> podman machine set --rootful
PS C:\Users\shion> podman system connection ls
Name URI Identity Default
podman-machine-default ssh://user@127.0.0.1:56638/run/user/1000/podman/podman.sock C:\Users\shion\.ssh\podman-machine-default false
podman-machine-default-root ssh://root@127.0.0.1:56638/run/podman/podman.sock C:\Users\shion\.ssh\podman-machine-default true
PS C:\Users\shion> podman machine set --rootful=false
Original
PS C:\Users\User> podman version
Cannot connect to Podman. Please verify your connection to the Linux system
using `podman system connection list`, or try `podman machine init` and
`podman machine start` to manage a new Linux Linux VM
Error: unable to connect to Podman. failed to create sshClient: Connection
to bastion host (ssh://root@localhost:38243/run/podman/podman.sock)
failed.: dial tcp [::1]:38243: connect: connection refused
Check
PS C:\Users\shion> podman version
Error: failed to connect: dial tcp 127.0.0.1:56920: connectex: No connection could be made because the target machine actively refused it.
Original
PS C:\Users\User> podman machine start
Starting machine "podman-machine-default"
This machine is currently configured in rootless mode. If your containers
require root permissions (e.g. ports < 1024), or if you run into compatibility
issues with non-podman clients, you can switch using the following command:
podman machine set --rootfulF.2
Using podman machine
277
API forwarding listening on: npipe:////./pipe/docker_engine
Docker API clients default to this address. You do not need to set
DOCKER_HOST.
Machine "podman-machine-default" started successfully
Check
PS C:\Users\shion> podman machine start
Starting machine "podman-machine-default"
This machine is currently configured in rootless mode. If your containers
require root permissions (e.g. ports < 1024), or if you run into compatibility
issues with non-podman clients, you can switch using the following command:
podman machine set --rootful
API forwarding listening on: npipe:////./pipe/docker_engine
Docker API clients default to this address. You do not need to set DOCKER_HOST.
Machine "podman-machine-default" started successfully
Original
PS C:\Users\User> podman version
Client: Podman Engine
Version: 4.0.0-dev
API Version: 4.0.0-dev
Go Version: go1.17.1
Git Commit: bac389043f268e632c45fed7b4e88bdefd2d95e6-dirty
Built: Wed Feb 16 00:33:20 2022
OS/Arch: windows/amd64
Server: Podman Engine
Version: 4.0.1
API Version: 4.0.1
Go Version: go1.16.14
Built: Fri Feb 25 13:22:13 2022
OS/Arch: linux/amd64
PS C:\Users\shion> podman version
Client: Podman Engine
Version: 4.5.1
API Version: 4.5.1
Go Version: go1.20.4
Git Commit: 9eef30051c83f62816a1772a743e5f1271b196d7
Built: Sat May 27 02:06:38 2023
OS/Arch: windows/amd64
Server: Podman Engine
Version: 4.5.0
API Version: 4.5.0
Go Version: go1.19.7
Built: Sat Apr 15 00:42:56 2023
OS/Arch: linux/amd64
Original
PS C:\Users\User> podman run ubi8-micro date
Thu Jan 6 05:09:59 UTC 2022
Check
PS C:\Users\shion> podman run ubi8-micro date
Wed Jul 5 01:15:18 UTC 2023
Original
PS C:\Users\User> podman machine stop
Check
PS C:\Users\shion> podman machine stop
Machine "podman-machine-default" stopped successfully
Original
PS C:\Users\User> podman machine ls
NAME VM TYPE CREATED LAST UP CPUS
➥ MEMORY DISK SIZE
podman-machine-default wsl 3 days ago Running 4
➥ 528.4MB 845.2MB
other wsl 4 minutes ago Running 4
➥ 524.5MB 778MB
Check
PS C:\Users\shion> podman machine ls
NAME VM TYPE CREATED LAST UP CPUS MEMORY DISK SIZE
other wsl About a minute ago Currently running 12 646.3MB 736.1MB
podman-machine-default* wsl 13 hours ago Currently running 12 650.9MB 796.9MB
Original
PS C:\Users\User> wsl -d podman-machine-default
[root@WIN10PRO /]# podman version
Client: Podman Engine
Version: 4.0.1
API Version: 4.0.1
Go Version: go1.16.14
Built: Fri Feb 25 13:22:13 2022
OS/Arch: linux/amd64
Check
PS C:\Users\shion> wsl -d podman-machine-default
You will be automatically entered into a nested process namespace where
systemd is running. If you need to access the parent namespace, hit ctrl-d
or type exit. This also means to log out you need to exit twice.
[user@OneMix4S ~]$ podman version
Client: Podman Engine
Version: 4.5.0
API Version: 4.5.0
Go Version: go1.19.7
Built: Sat Apr 15 00:42:56 2023
OS/Arch: linux/amd64
Original
PS C:\Users\User> podman machine ssh dnf upgrade -y
Warning: Permanently added '[localhost]:52581' (ED25519) to the list of
known hosts.
Last metadata expiration check: 1:18:35 ago on Wed Jan 5 21:13:15 2022.
Dependencies resolved.
…
Complete!
Check
PS C:\Users\shion> podman machine ssh dnf upgrade -y
Warning: Permanently added '[localhost]:57466' (ED25519) to the list of known hosts.
Fedora 37 - x86_64 1.3 MB/s | 82 MB 01:03
Fedora 37 openh264 (From Cisco) - x86_64 429 B/s | 2.5 kB 00:05
Fedora Modular 37 - x86_64 744 kB/s | 3.8 MB 00:05
Fedora 37 - x86_64 - Updates 1.0 MB/s | 36 MB 00:34
Fedora Modular 37 - x86_64 - Updates 637 kB/s | 2.9 MB 00:04
Dependencies resolved.
Nothing to do.
Complete!
Original
PS C:\Users\User> wsl --shutdown
PS C:\Users\User> podman machine start
Starting machine…
Machine "podman-machine-default" started successfully
Check
PS C:\Users\shion> podman machine ls
NAME VM TYPE CREATED LAST UP CPUS MEMORY DISK SIZE
other wsl 2 hours ago Currently running 12 686.9MB 736.1MB
podman-machine-default wsl 5 minutes ago Currently running 12 690.5MB 1.019GB
PS C:\Users\shion> wsl -l -v
NAME STATE VERSION
* Ubuntu Stopped 2
podman-other Running 2
podman-machine-default Running 2
fedoraremix Stopped 2
PS C:\Users\shion> wsl --shutdown
PS C:\Users\shion> wsl -l -v
NAME STATE VERSION
* Ubuntu Stopped 2
podman-other Stopped 2
podman-machine-default Stopped 2
fedoraremix Stopped 2
PS C:\Users\shion>
PS C:\Users\shion> podman machine ls
NAME VM TYPE CREATED LAST UP CPUS MEMORY DISK SIZE
podman-machine-default wsl 6 minutes ago 19 seconds ago 0 0B 998.2MB
other wsl 2 hours ago 20 seconds ago 0 0B 718.3MB
PS C:\Users\shion> wsl -l -v
NAME STATE VERSION
* Ubuntu Stopped 2
podman-other Stopped 2
podman-machine-default Stopped 2
fedoraremix Stopped 2
PS C:\Users\shion> podman machine start
Starting machine "podman-machine-default"
API forwarding for Docker API clients is not available due to the following startup failures.
could not start api proxy since expected pipe is not available: podman-machine-default
Podman clients are still able to connect.
Machine "podman-machine-default" started successfully