Trying out Podman, a rootless alternative to Docker
table of contents
Hello,
from
the System Solutions Department.
It's been cold lately.
This time, I'd like to write an article about Podman for beginners.
.--"--. / - - \ / (O) (O) \ ~~~| -=(,Y,)=- | .---. /` \ |~~ ~/ oo \~~~~.----. ~~ | =(X)= |~ / (O (O) \ ~~~~~~~ ~| =(Y_)=- | ~~~~ ~~~| U |~~
What is Podman?
Pod Manager
is an open-source container tool made by Red Hat. It is compatible with Docker and its usage is almost the same. For more information, see the official documentation:
https://www.redhat.com/ja/topics/containers/what-is-podman
You may be thinking, "What? Then why not use Docker?
" However, Podman is rootless by default, so it has the advantage of being more secure.
(Note: Docker can also do this, but additional configuration is required.)
The reason why rootless is safe is that
Docker runs as a daemon started by root and communicates with the host machine via a REST API.
This uses a domain socket, which requires root privileges, making it possible to attack the host from the container .
Let's try it out right away
install
■Environment
Ubuntu 24.04 LTS
The installation itself is easy.
*If you use docker-compose, you can also install podman-compose
$ sudo apt update $ sudo apt install podman $ podman --version podman version 4.9.3
Check rootless mode (if it's true, it's OK)
$ podman info | grep rootless rootless: true
Image pull
Now that the installation is complete, let's try pulling the Apache image as a normal user
$ podman pull docker.io/library/httpd Trying to pull docker.io/library/httpd:latest... Getting image source signatures Copying blob 79b49624e34b done | Copying blob d7ad38c6dd97 done | Copying blob 4f4fb700ef54 done | Copying blob 9bd25d4f7b77 done | Copying blob 7d9f97915db2 done | Copying blob bc0965b23a04 done | Copying config 494b2b45fd done | Writing manifest to image destination 494b2b45fd74cbf7eb7dc9cfeda02b26c9450e26719afaf1914635832217c4ce
that it's complete, let's start it.
This time we'll use TCP/8888.
$ podman run -dt -p 8888:80/tcp docker.io/library/httpd 6e5578b6ab93e131593325aa61c8b78487d6d602a74c78b714aa8b089ac12d0f # Check startup status $ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6e5578b6ab93 docker.io/library/httpd:latest httpd-foreground 5 seconds ago Up 5 seconds 0.0.0.0:8888->80/tcp quizzical_tharp
Now that it's started up, let's try accessing it.
If it says "It works!", then it's OK.
$ curl http://127.0.0.1:8888<html><body><h1> It works!</h1></body></html>
It also appears in the browser
Just like Docker, you can also check logs and process status
$ podman logs -l [Thu Dec 12 02:48:15.892285 2024] [mpm_event:notice] [pid 1:tid 1] AH00489: Apache/2.4.62 (Unix) configured -- resuming normal operations [Thu Dec 12 02:48:15.893410 2024] [core:notice] [pid 1:tid 1] AH00094: Command line: 'httpd -D FOREGROUND' 10.0.2.100 - - [12/Dec/2024:02:48:57 +0000] "GET / HTTP/1.1" 200 45 10.0.2.100 - - [12/Dec/2024:02:48:57 +0000] "GET /favicon.ico HTTP/1.1" 404 196 10.0.2.100 - - [12/Dec/2024:02:50:24 +0000] "GET / HTTP/1.1" 200 45 ~$ podman top -l USER PID PPID %CPU ELAPSED TTY TIME COMMAND root 1 0 0.000 4m36.020462289s pts/0 0s httpd -DFOREGROUND www-data 8 1 0.000 4m36.022522465s pts/0 0s httpd -DFOREGROUND www-data 9 1 0.000 4m36.02299156s pts/0 0s httpd -DFOREGROUND www-data 10 1 0.000 4m36.023751351s pts/0 0s httpd -DFOREGROUND
Of course, there are some differences, but I think anyone who has used Docker will be able to use it without any problems
$ podman run quay.io/podman/hello Trying to pull quay.io/podman/hello:latest... Getting image source signatures Copying blob 81df7ff16254 done | Copying config 5dd467fce5 done | Writing manifest to image destination !... Hello Podman World ...! .--"--. / - - \ / (O) (O) \ ~~~| -=(,Y,)=- |. https://docs.podman.io YouTube: https://youtube.com/@Podman X/Twitter: @Podman_io Mastodon: @ [email protected]
By the way, the official character of Podman is not a seal but a Scottish mythical creature called
Selkies (Apparently, the name comes from the fact that a group of selkies is called "pods." So cute.)
complete
3
Loading...3 
The person who wrote this article
About the author
