Podifing Your Docker Container

Marc Skinner
Principal Solutions Architect

1
 Containers
RED HAT ENTERPRISE LINUX CONTAINER TOOLING

2
 RHEL CONTAINERS

Containers are Linux

Application binaries

Build
Run
Application dependencies
CONTAINERS

SELinux

Seccomp

Cgroups

Namespaces

CPU Memory Storage Network

3
 RHEL CONTAINERS

Powering the adoption of containerized workloads

TRADITIONAL DEVELOPMENT CLOUD-NATIVE

Find Run Build Share Integrate Deploy

Red Hat Enterprise Linux Red Hat OpenShift®

Quay
(Podman/Buildah/Skopeo) (Kubernetes)

4
 Container Tooling Overview
RED HAT ENTERPRISE LINUX CONTAINER TOOLING

5
 RHEL CONTAINERS

Manage containers with Podman

Fast and lightweight

No daemons required
Kernel
Advanced namespace isolation
RunC Rootless operations for container run
and build
Podman
Open standards compliant
Creates and maintains any standard
Open Containers Initiative (OCI) -
compliant containers and pods
Images

6
 RHEL CONTAINERS

Create images with Buildah

Application layer
More control
Scriptable tooling for fine-grained
Java™ runtime layer
image control, and maximum control
starting from base or scratch images
OS update layer
Java runtime and Minimization of images
Base Red Hat dependencies, and Elimination of unneeded dependencies
Enterprise Linux application by using host-based tools

From base, multilayer From scratch, single layer

7
 RHEL CONTAINERS

Inspect and transport images with Skopeo

Inspect images remotely

Examine image metadata without needing to download

Image registry Image registry Publish and transfer images

Copy images from registries to hosts or directly
between registries
SKOPEO
Sign and verify images
Supports GPG key signing on publish
Metadata signature Image repository

Host
8
 Container Tooling Details
RED HAT ENTERPRISE LINUX CONTAINER TOOLING

9
 RHEL CONTAINERS

Wait, no Docker?

● Docker and the Docker daemon are not ● No single point of failure
needed ● No more orphaned processes if daemon
● Podman is a replacement fails
● We move from a centralized Docker ● Ability to run / build containers as
daemon to a process runtime unprivileged users
● Client/Server vs Fork/Exec model

10
 RHEL CONTAINERS

Are you sure it will work?

● Docker commands work with Podman ● Docker stores images in:

# systemctl stop docker “/var/lib/docker”
# alias docker=podman ● Podman stores images in :
● Docker images are compatible with “/var/lib/containers”
Podman “~/.local/share/containers”
● Podman is available on RHEL 7.6 or
later

11
 RHEL CONTAINERS

What else should I know about Podman?

● Podman follows the Open Containers ● Podman has a REST API

Initiative (OCI) standards ● Podman supports rootless containers
● Podman can create Kubernetes PODs ●
Supports non-root users
# podman pod ● Ansible Collection: containers.podman
● Podman can generate Kubernetes
YAML files
# podman generate kube PODID

12
 RHEL CONTAINERS

What is this Buildha?

● Build OCI containers without requiring a full container runtime or daemon

● Build from scratch
● Build from an existing container image
● Build from a Dockerfile
● Build as non-root

13
 RHEL CONTAINERS

Skopeo – the Greek word for inspect

● Developed to easily inspect a remote ● Great for CI/CD

container image – JSON output ● One step versus three steps
● Evolved into a great tool for moving
# skopeo copy REGSRC/IMAGE REGDST/IMAGE
images between different types of
-----------------------------
container storage
# podman pull OLDIMAGE
●
Docker.io
# podman tag OLDIMAGE NEWIMAGE
●
Quay.io
# podman push NEWIMAGE
●
Local filesystem

14
 RHEL CONTAINERS

Skopeo JSON metadata

● Inspect a container image without downloading

# skopeo inspect --config docker://registry.access.redhat.com/ubi8/ubi
# skopeo inspect --config dir:/home/developer/ubi

15
 RHEL CONTAINERS

U-B-I = Universal Base Image

● OCI-compliant container image build ● Four base image options:

on RHEL 7 or 8 ●
ubi8/ubi-micro
● No subscription required ●
ubi8/ubi-minimal
● Inherits support subscription of ●
ubi8/ubi
running container host ●
ubi8/ubi-init
● Red Hat patches, curates, publishes
base images

16
 RHEL CONTAINERS

How small are micro and minimal? Can we get under 100MB?

ubi8/ubi-micro ubi8/ubi-minimal
● Smallest possible UBI image ● Designed for applications that contain
● No package manager their own dependencies (python, node.js,
.NET, etc.)
● Must use buildha or external
● Minimized pre-installed content
mechanism to update/add content
● microdnf - Minimal package manager
(install, update, and remove)
● No suid binaries

17
 RHEL CONTAINERS

What about ubi vs init?

ubi8/ubi ubi8/ubi-init
● Also called Platform ● Known as Multi-Service
● Use for any application that runs on ● Eases the ability to run multiple services
RHEL from a single container
● Unified, OpenSSL crypto stack ● Based on the ubi8/ubi image
● Full YUM stack ● Configured to run systemd on start
● Includes useful basic OS tooling (tar, ● Allows you to enable services at build
gzip, vi, etc.) time

18
 RHEL CONTAINERS

Let’s compare the actual sizes

UBI size compare

ubi-micro ubi-minimal ubi ubi-init

●
ubi8/ubi-micro : 39.1 MB
●
ubi8/ubi-minimal : 105 MB
●
ubi8/ubi : 234 MB
●
ubi8/ubi-init : 251 MB

0 50 100 150 200 250 300

MB

19
 RHEL CONTAINERS

Wait … I’m still on RHEL 7

● RHEL 7 only has 3 base images – no micro image

●
ubi7/ubi-minimal
●
ubi7/ubi
●
ubi7/ubi-init

20
 RHEL CONTAINERS

Where do I find trusted containers?

● Red Hat maintains a curated container image ecosystem

catalog of more than 5,000

https://catalog.redhat.com/software/containers/explore

21
 RHEL CONTAINERS

How do I download the UBI?

● Use the Red Hat Container Catalog via a web browser:

https://catalog.redhat.com/software/containers/explore
● Use podman to pull directly to your local registry:
# podman pull registry.access.redhat.com/ubi7/ubi:latest
# podman pull registry.access.redhat.com/ubi8/ubi:latest
● Use skopeo to copy directly to your local filesystem:
# skopeo copy docker://registry.access.redhat.com/ubi8/ubi dir:/home/developer/ubi8
● Use skopeo to copy directly to you local registry:
# skopeo copy docker://registry.access.redhat.com/ubi8/ubi docker://localhost:5000/ubi8/ubi
22
 RHEL CONTAINERS

Let’s run a Docker image on Podman, please

23
 RHEL CONTAINERS

:s/docker/podman/

● Download docker image from docker.io

# podman pull percona/pmm-server:2
● Create persistent storage mount point
# podman create -v /srv --name pmm-
data percona/pmm-server:2 /bin/true
● Start container
# podman run -d -p 80:80 -p 443:443
--volumes-from pmm-data --name
pmm-server --restart always
24
percona/pmm-server:2
 RHEL CONTAINERS

Test your container application

25
 RHEL CONTAINERS

Create a systemd unit file to autostart your containerized application

● Grab the container ID of the running container

# podman ps
● Generate systemd service file
# podman generate systemd 4e860abd9941 > pmm-server.service
# cp pmm-server.service /etc/systemd/system/
# systemctl enable pmm-server
● Check out what is running in the container with podman top!
# podman top pmm-server

26
 RHEL CONTAINERS

Show me some rootless!

● Update “user.max_user_namespaces” via sysctl

● Create login for a normal user
● Remember: Podman local storage will be at ~/.local/share/containers/storage/
● Make sure rootless is working; check the namespace map
# podman unshare cat /proc/self/uid_map
0 1001 0
1 1000000 65536
● Check your UID
# id
27

uid=1001(test) gid=1001(test) ...

 RHEL CONTAINERS

I want the Buildah steps

# buildah from ubi8

# buildah run ubi8-working-container yum install httpd -y
# echo "Hello from Red Hat" > index.html
# buildah copy ubi8-working-container index.html /var/www/html/index.html
# buildah config --entrypoint "/usr/sbin/httpd -DFOREGROUND" ubi8-working-container
# buildah commit ubi8-working-container rhug-demo-website
# podman run --name rhug-demo -dt -p 8080:80/tcp localhost/rhug-demo-website
# curl http://podman.i.skinnerlabs.com:8080
Hello from Red Hat
28
 RHEL CONTAINERS

Running Information

● View container information

# podman ps
# podman top -l ( -l = latest)
# podman top [NAME] or [CONTAINERID]
# podman inspect [NAME] or [CONTAINERID]

29
 RHEL CONTAINERS

Passing environmental variables

● Pass variables
# podman run -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=yourStrong(!)Password' -p 1433:1433 -d
mcr.microsoft.com/mssql/rhel/server:2019-latest

30
 RHEL CONTAINERS

Clean up

# podman volume ls
# podman volume rm VOLUME_ID
# podman system prune --all --force
# podman stop --all
# podman rmi --all --force

31
 Thank you linkedin.com/company/red-hat

youtube.com/user/RedHatVideos
Red Hat is the world’s leading provider of enterprise

open source software solutions. Award-winning

facebook.com/redhatinc
support, training, and consulting services make

Red Hat a trusted adviser to the Fortune 500.

twitter.com/RedHat

32