Podman in Action
Secure, rootless containers for Kubernetes, microservices, and more
1st Edition
Published on 21. March 2023
312 pages
978-1-63835-183-2 (ISBN)
Description
The next generation of containers is here. Learn Podman directly from its creator, discover its exceptional security features, and start managing rootless containers that integrate easily into your systems.
In Podman in Action you will learn how to:
Build and run containers in rootless mode
Develop and manage pods
Use SystemD to oversee a container's lifecycle
Work with the Podman service via Python
Keep your containers confined using Podman security features
Manage containerized applications on edge devices
Podman in Action shows you how to deploy containerized applications on Linux, Windows, and MacOS systems using Podman. Written by Daniel Walsh, who leads the Red Hat Podman team, this book teaches you how to securely manage the entire application lifecycle without human intervention. You'll quickly get to grips with Podman's unique advantages over Docker, and learn how easy it is to migrate your Docker-based infrastructure. It also demonstrates how, with Podman, you can easily convert containerized applications into Kubernetes-based microservices.
About the technology
It's time to upgrade your container engine! The Podman container manager delivers flexible image layer control, seamless Kubernetes compatibility, and rootless containers that can be created, run, and managed by users without admin rights. Plus, its OCI-compliant support for the Docker API lets you shift existing containers to Podman without breaking your scripts or changing the way you work.
About the book
Podman in Action introduces the Podman container manager. The easy-to-follow explanations and examples give you a clear view of what containers are, how they work, and how to manage them using Podman's powerful features. You'll get a deep look at the Linux components Podman uses and even learn more about Docker along the way. You'll especially appreciate author Dan Walsh's unique insights into container security.
What's inside
Develop and manage pods
Key security concepts including SELinux and SECCOMP
Use systemd to oversee a container's lifecycle
Keep your containers confined using Podman security
Manage containerized applications on edge devices
Install and run Podman on MacOS and Windows
About the reader
For developers or system administrators experienced with Linux and Docker.
About the author
Daniel Walsh is a senior distinguished engineer at Red Hat, and leads the team that created Podman.
Table of Contents
PART 1 FOUNDATIONS
1 Podman: A next-generation container engine
2 Command line
3 Volumes
4 Pods
PART 2 DESIGN
5 Customization and configuration files
6 Rootless containers
PART 3 ADVANCED TOPICS
7 Integration with systemd
8 Working with Kubernetes
9 Podman as a service
PART 4 CONTAINER SECURITY
10 Security container isolation
11 Additional security considerations
In Podman in Action you will learn how to:
Build and run containers in rootless mode
Develop and manage pods
Use SystemD to oversee a container's lifecycle
Work with the Podman service via Python
Keep your containers confined using Podman security features
Manage containerized applications on edge devices
Podman in Action shows you how to deploy containerized applications on Linux, Windows, and MacOS systems using Podman. Written by Daniel Walsh, who leads the Red Hat Podman team, this book teaches you how to securely manage the entire application lifecycle without human intervention. You'll quickly get to grips with Podman's unique advantages over Docker, and learn how easy it is to migrate your Docker-based infrastructure. It also demonstrates how, with Podman, you can easily convert containerized applications into Kubernetes-based microservices.
About the technology
It's time to upgrade your container engine! The Podman container manager delivers flexible image layer control, seamless Kubernetes compatibility, and rootless containers that can be created, run, and managed by users without admin rights. Plus, its OCI-compliant support for the Docker API lets you shift existing containers to Podman without breaking your scripts or changing the way you work.
About the book
Podman in Action introduces the Podman container manager. The easy-to-follow explanations and examples give you a clear view of what containers are, how they work, and how to manage them using Podman's powerful features. You'll get a deep look at the Linux components Podman uses and even learn more about Docker along the way. You'll especially appreciate author Dan Walsh's unique insights into container security.
What's inside
Develop and manage pods
Key security concepts including SELinux and SECCOMP
Use systemd to oversee a container's lifecycle
Keep your containers confined using Podman security
Manage containerized applications on edge devices
Install and run Podman on MacOS and Windows
About the reader
For developers or system administrators experienced with Linux and Docker.
About the author
Daniel Walsh is a senior distinguished engineer at Red Hat, and leads the team that created Podman.
Table of Contents
PART 1 FOUNDATIONS
1 Podman: A next-generation container engine
2 Command line
3 Volumes
4 Pods
PART 2 DESIGN
5 Customization and configuration files
6 Rootless containers
PART 3 ADVANCED TOPICS
7 Integration with systemd
8 Working with Kubernetes
9 Podman as a service
PART 4 CONTAINER SECURITY
10 Security container isolation
11 Additional security considerations
More details
Other editions
Additional editions
Book
01/2023
Manning Publications
€56.00
Shipment within 3-4 weeks
Person
Daniel Walsh leads the team that created Podman, Buildah, Skopeo, CRI-O and friends. Dan is a senior distinguished engineer at Red Hat, which he joined in 2001, and he has worked in the computer security field for over 40 years. He is sometimes referred to as "Mr SELinux", after leading the development of SELinux at Red Hat prior to leading the container team.
Content
- Intro
- Inside front cover
- Podman in Action
- Copyright
- dedication
- brief contents
- contents
- front matter
- preface
- acknowledgments
- about this book
- Who should read this book?
- How this book is organized: A roadmap
- liveBook discussion forum
- Author online
- about the author
- about the cover illustration
- Part 1. Foundations
- 1 Podman: A next-generation container engine
- 1.1 About all these terms
- 1.2 A brief overview of containers
- 1.2.1 Container images: A new way to ship software
- 1.2.2 Container images lead to microservices
- 1.2.3 Container image format
- 1.2.4 Container standards
- 1.3 Why use Podman when you have Docker?
- 1.3.1 Why have only one way to run containers?
- 1.3.2 Rootless containers
- 1.3.3 Fork/exec model
- 1.3.4 Podman is daemonless
- 1.3.5 User-friendly command line
- 1.3.6 Support for REST API
- 1.3.7 Integration with systemd
- 1.3.8 Pods
- 1.3.9 Customizable registries
- 1.3.10 Multiple transports
- 1.3.11 Complete customizability
- 1.3.12 User-namespace support
- 1.4 When not to use Podman
- Summary
- 2 Command line
- 2.1 Working with containers
- 2.1.1 Exploring containers
- 2.1.2 Running the containerized application
- 2.1.3 Stopping containers
- 2.1.4 Starting containers
- 2.1.5 Listing containers
- 2.1.6 Inspecting containers
- 2.1.7 Removing containers
- 2.1.8 exec-ing into a container
- 2.1.9 Creating an image from a container
- 2.2 Working with container images
- 2.2.1 Differences between a container and an image
- 2.2.2 Listing images
- 2.2.3 Inspecting images
- 2.2.4 Pushing images
- 2.2.5 podman login: Logging into a container registry
- 2.2.6 Tagging images
- 2.2.7 Removing images
- 2.2.8 Pulling images
- 2.2.9 Searching for images
- 2.2.10 Mounting images
- 2.3 Building images
- 2.3.1 Format of a Containerfile or Dockerfile
- 2.3.2 Automating the building of our application
- Summary
- 3 Volumes
- 3.1 Using volumes with containers
- 3.1.1 Named volumes
- 3.1.2 Volume mount options
- 3.1.3 podman run - -mount command option
- Summary
- 4 Pods
- 4.1 Running pods
- 4.2 Creating a pod
- 4.3 Adding a container to a pod
- 4.4 Starting a pod
- 4.5 Stopping a pod
- 4.6 Listing pods
- 4.7 Removing pods
- Summary
- Part 2. Design
- 5 Customization and configuration files
- 5.1 Configuration files for storage
- 5.1.1 Storage location
- 5.1.2 Storage drivers
- 5.2 Configuration files for registries
- 5.2.1 registries.conf
- 5.3 Configuration files for engines
- 5.4 System configuration files
- Summary
- 6 Rootless containers
- 6.1 How does rootless Podman work?
- 6.1.1 Images contain content owned by multiple user identifiers (UIDs)
- 6.2 Rootless Podman under the covers
- 6.2.1 Pulling the image
- 6.2.2 Creating a container
- 6.2.3 Setting up the network
- 6.2.4 Starting the container monitor: conmon
- 6.2.5 Launching the OCI runtime
- 6.2.6 The containerized application runs until completion
- Summary
- Part 3. Advanced topics
- 7 Integration with systemd
- 7.1 Running systemd within a container
- 7.1.1 Containerized systemd requirements
- 7.1.2 Podman container in systemd mode
- 7.1.3 Running an Apache service within a systemd container
- 7.2 Journald for logging and events
- 7.2.1 Log driver
- 7.2.2 Events
- 7.3 Starting containers at boot
- 7.3.1 Restarting containers
- 7.3.2 Podman containers as systemd services
- 7.3.3 Distributing systemd unit files to manage Podman containers
- 7.3.4 Automatically updating Podman containers
- 7.4 Running containers in notify unit files
- 7.5 Rolling back failed containers after update
- 7.6 Socket-activated Podman containers
- Summary
- 8 Working with Kubernetes
- 8.1 Kubernetes YAML files
- 8.2 Generating Kubernetes YAML files with Podman
- 8.3 Generating Podman pods and containers from Kubernetes YAML
- 8.3.1 Shutting down pods and containers based on a Kubernetes YAML file
- 8.3.2 Building images using Podman and Kubernetes YAML files
- 8.4 Running Podman within a container
- 8.4.1 Running Podman within a Podman container
- 8.4.2 Running Podman within a Kubernetes pod
- Summary
- 9 Podman as a service
- 9.1 Introducing the Podman service
- 9.1.1 Systemd services
- 9.2 Podman-supported APIs
- 9.3 Python libraries for interacting with Podman
- 9.3.1 Using docker-py with the Podman API
- 9.3.2 Using podman-py with the Podman API
- 9.3.3 Which Python library should you use?
- 9.4 Using docker-compose with the Podman service
- 9.5 podman - -remote
- 9.5.1 Local connections
- 9.5.2 Remote connections
- 9.5.3 Setting up SSH on the client machine
- 9.5.4 Configuring a connection
- Summary
- Part 4. Container security
- 10 Security container isolation
- 10.1 Read-only Linux kernel pseudo filesystems
- 10.1.1 Unmasking the masked paths
- 10.1.2 Masking additional paths
- 10.2 Linux capabilities
- 10.2.1 Dropped Linux capabilities
- 10.2.2 Dropped CAP_SYS_ADMIN
- 10.2.3 Dropping capabilities
- 10.2.4 Adding capabilities
- 10.2.5 No new privileges
- 10.2.6 Root with no capabilities is still dangerous
- 10.3 UID isolation: User namespace
- 10.3.1 Isolating containers using the - -userns=auto flag
- 10.3.2 User-namespaced Linux capabilities
- 10.3.3 Rootless Podman with the - -userns=auto flag
- 10.3.4 User volumes with the - -userns=auto flag
- 10.4 Process isolation: PID namespace
- 10.5 Network isolation: Network namespace
- 10.6 IPC isolation: IPC namespace
- 10.7 Filesystem isolation: Mount namespace
- 10.8 Filesystem isolation: SELinux
- 10.8.1 SELinux type enforcement
- 10.8.2 SELinux Multi-Category Security separation
- 10.9. System call isolation seccomp
- 10.10 Virtual machine isolation
- Summary
- 11 Additional security considerations
- 11.1 Daemon versus the fork/exec model
- 11.1.1 Access to the docker.sock
- 11.1.2 Auditing and logging
- 11.2 Podman secret handling
- 11.3 Podman image trust
- 11.3.1 Podman image signing
- 11.4 Podman image scanning
- 11.5.1 Read-only containers
- 11.5 Security in depth
- 11.5.1 Podman uses all security mechanisms simultaneously
- 11.5.2 Where should you run your containers?
- Summary
- Appendix A. Podman-related container tools
- A.1 Skopeo
- A.2 Buildah
- A.2.1 Creating a working container from a base image
- A.2.2 Adding data to a working container
- A.2.3 Running commands in a working container
- A.2.4 Adding content to a working container directly from the host
- A.2.5 Configuring a working container
- A.2.6 Creating an image from a working container
- A.2.7 Pushing an image to a container registry
- A.2.8 Building an image from Containerfiles
- A.2.9 Buildah as a library
- A.3 CRI-O: Container Runtime Interface for OCI containers
- Appendix B. OCI runtimes
- B.1 runc
- B.2 crun
- B.3 Kata
- B.4 gVisor
- Appendix C. Getting Podman
- C.1 Installing Podman
- C.1.1 macOS
- C.1.2 Windows
- C.1.3 Arch Linux and Manjaro Linux
- C.1.4 CentOS
- C.1.5 Debian
- C.1.6 Fedora
- C.1.7 Fedora-CoreOS, Fedora Silverblue
- C.1.8 Gentoo
- C.1.9 OpenEmbedded
- C.1.10 openSUSE
- C.1.11 openSUSE Kubic
- C.1.12 Raspberry Pi OS arm64
- C.1.13 Red Hat Enterprise Linux
- C.1.14 Ubuntu
- C.2 Building from source code
- C.3 Podman Desktop
- Summary
- Appendix D. Contributing to Podman
- D.1 Joining the community
- D.2 Podman on github.com
- Appendix E. Podman on macOS
- E.1 Using podman machine
- E.1.1 podman machine init
- E.1.2 Podman machine SSH configuration
- E.1.3 Starting the VM
- E.1.4 Stopping the VM
- Summary
- Appendix F. Podman on Windows
- F.1 First steps
- F.1.1 Prerequisites
- F.1.2 Installing Podman
- F.2 Using podman machine
- F.2.1 podman machine init
- F.2.2 Podman machine SSH configuration
- F.2.3 Starting the WSL 2 instance
- F.2.4 Using podman machine commands
- Summary
- index
