Will you replace Docker? Next-generation container management tools Podman and Buildah
background
Speaking of containers, the two words are so closely related that Docker can think of them. However, Docker is not included as standard in the 8 series, which is the latest version of Red Hat Enterprise Linux (RHEL) developed by Red Hat, and it is no longer supported. Docker was designed to include all the functions of Docker Daemon, and it was convenient to push and pull Docker images, manage storage, etc., but there were also problems. The following two points are particularly large.
--Demon needs to be started and will stop functioning if the process goes down --The container must be started with root privileges, and if there are vulnerabilities or improper settings, the privileges may be stolen.
Several new container tools have been developed to address this issue. These are Podman and Buildah, which I will introduce this time. Red Hat's official reference is the most detailed for this information, but I wanted to make an article about the results of learning by touching myself.
What is Podman
Podman is a tool that manages the stop and start of pods locally without using Kubernetes. 
It has the following features.
--No need to start Daemon (Daemonless)
--Pod can be started by a general user who does not require root authority (Rootless mode)
--Images built with Docker can be booted with Podman (OCI Compatible)
In addition, Podman is compatible with Docker and the command line, and the same usage as docker command can be realized with podman command. However, some docker options have been removed, so they are not fully compatible. (Reference [See Chapter 8 Command Line for Containers](https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/8/html/building_running_and_managing_containers/container-command-line-reference_building-running-and- managing-containers)))
What is Buidah
Buidalh is a tool that builds an OCI compliant container image and pushes it to the registry. 
Although there are some overlaps with Podman in terms of functionality, Buildah has only the minimum functionality required to build a container image, and its functionality is limited. It has the following features.
--Daemon is not used --Container image can be built from scratch (empty) image --The image does not include build tools and the image size is small
Since it is possible to build a scratch image, it is possible to get a container image that is even lighter than getting the image from the official repository. (Example: Insert the RHEL package from the scratch image and add Apache, etc.) Of course, you can also build the image from the Dockerfile. I briefly explained the two tools, so I would like to install them on the actual machine and experience them.
Various environmental tools
- OS:CentOS8.2
- podman ver 1.6.4
- buildah ver 1.11.6
Red Hat's Official Page is the best way to understand how to install and how to use various tools. It seems easy, so basically I would like to verify various things along with this.
Various installations and initial settings
You can install them one by one, but if you have a Red Hat Linux distribution, you can install them all at once by using this command.
# yum(dnf) module install -y container-tools
Increase user namespace
A namespace is a function that exists for various types of resources that exist in the system and makes the processes to which they belong appear to be apparently independent resources. I'm still learning, so I can't explain in detail, but the user namespace will show independent user id and group id. For details, please refer to the "Try and Understand Linux Mechanism Corner" in the July issue of Software Design in 2020. (https://gihyo.jp/magazine/SD/archive/2020/202007) Let's get back to it and increase its namespace with the following command:
# echo "user.max_user_namespaces=28633" > /etc/sysctl.d/userns.conf
# sysctl -p /etc/sysctl.d/userns.conf
In this state, make it a non-root user and make sure that you can get the image with podman.
$ podman pull registry.access.redhat.com/ubi8/ubi
$ podman run registry.access.redhat.com/ubi8/ubi cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.2 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.2"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.2 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8.2:GA"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.2
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.2"
I got the Universal Base Images (UBI) provided by Red Hat and started the container from the image. The OS version information of the container is referenced by cat / etc / os-release for the started container. I was able to confirm that I can run podman as a non-root user and operate the container. Next, we will explain various operations.
Image search and pull
Image search is hit with podman search <image name>.
$ podman search node
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
redhat.com registry.access.redhat.com/openshift3/node Provides a containerized OpenShift Node with... 0
redhat.com registry.access.redhat.com/openshift3/prometheus-node-exporter Prometheus exporter for hardware and OS metr... 0
redhat.com registry.access.redhat.com/codeready-workspaces/stacks-node Red Hat CodeReady Workspaces - Node Stack co... 0
redhat.com registry.access.redhat.com/rhel7/kubernetes-scheduler The Kubernetes scheduler watches for new un-... 0
redhat.com registry.access.redhat.com/openshift3/metrics-hawkular-openshift-agent Hawkular OpenShift Agent is a Hawkular feed ... 0
redhat.com registry.access.redhat.com/openshift3/ose-node-problem-detector Node Problem Detector monitors OpenShift nod... 0
redhat.com registry.access.redhat.com/openshift3/ose-metrics-heapster Retrieves container and node metrics from an... 0
redhat.com registry.access.redhat.com/openshift3/metrics-heapster Retrieves container and node metrics from an... 0
redhat.com registry.access.redhat.com/openshift3/ose-keepalived-ipfailover Optional Pod providing keepalived support fo... 0
redhat.com registry.access.redhat.com/openshift3/ose-metrics-hawkular-openshift-agent Hawkular OpenShift Agent is a Hawkular feed ... 0
redhat.com registry.access.redhat.com/openshift3/ose-node Provides a containerized OpenShift Node with... 0
redhat.com registry.access.redhat.com/amqstreams-1/amqstreams10-kafkaconnect-openshift AMQ Streams image for running an Apache Kafk... 0
redhat.io registry.redhat.io/openshift3/node Provides a containerized OpenShift Node with... 0
redhat.io registry.redhat.io/openshift4/ose-prometheus-node-exporter Prometheus exporter for hardware and OS metr... 0
redhat.io registry.redhat.io/openshift4/ose-cluster-node-tuning-operator 'OpenShift Node Tuning Operator' 0
redhat.io registry.redhat.io/openshift4/ose-node 'OpenShift Container Platform Node' 0
redhat.io registry.redhat.io/openshift3/prometheus-node-exporter Prometheus exporter for hardware and OS metr... 0
redhat.io registry.redhat.io/openshift4/ose-csi-node-driver-registrar CSI Node Driver Registar 0
redhat.io registry.redhat.io/openshift4/ose-node-feature-discovery Node Feature Discovery Container Image 0
redhat.io registry.redhat.io/openshift4/ose-cluster-nfd-operator Node Feature Discovery (NFD) Operator 0
redhat.io registry.redhat.io/codeready-workspaces/stacks-node Red Hat CodeReady Workspaces - Node Stack co... 0
redhat.io registry.redhat.io/codeready-workspaces/stacks-node-rhel8 Red Hat CodeReady Workspaces - Node 10 Stack 0
redhat.io registry.redhat.io/codeready-workspaces/plugin-java8-rhel8 Red Hat CodeReady Workspaces - Java 8 plugin... 0
redhat.io registry.redhat.io/rhel7/kubernetes-scheduler The Kubernetes scheduler watches for new un-... 0
redhat.io registry.redhat.io/openshift3/metrics-hawkular-openshift-agent Hawkular OpenShift Agent is a Hawkular feed ... 0
redhat.io registry.redhat.io/openshift3/ose-node-problem-detector Node Problem Detector monitors OpenShift nod... 0
redhat.io registry.redhat.io/openshift3/ose-metrics-heapster Retrieves container and node metrics from an... 0
redhat.io registry.redhat.io/openshift3/metrics-heapster Retrieves container and node metrics from an... 0
redhat.io registry.redhat.io/openshift3/ose-metrics-hawkular-openshift-agent Hawkular OpenShift Agent is a Hawkular feed ... 0
redhat.io registry.redhat.io/openshift3/ose-keepalived-ipfailover Optional Pod providing keepalived support fo... 0
redhat.io registry.redhat.io/container-native-virtualization/node-maintenance-operator Red Hat Container Native Virtualization imag... 0
redhat.io registry.redhat.io/openshift3/ose-node Provides a containerized OpenShift Node with... 0
redhat.io registry.redhat.io/amqstreams-1/amqstreams10-kafkaconnect-openshift AMQ Streams image for running an Apache Kafk... 0
redhat.io registry.redhat.io/openshift4/ose-cluster-machine-approver 'Validates and approves CSRs for nodes attem... 0
redhat.io registry.redhat.io/container-native-virtiualization/node-maintenance-rhel8-operator Red Hat Container Native Virtualization imag... 0
redhat.io registry.redhat.io/openshift4/ose-ptp Linuxptp daemonset to apply ptp configuratio... 0
redhat.io registry.redhat.io/container-native-virtualization/kubevirt-cpu-node-labeller Red Hat Container Native Virtualization imag... 0
docker.io docker.io/library/node Node.js is a JavaScript-based platform for s... 9152 [OK]
docker.io docker.io/nodered/node-red-docker Deprecated - older Node-RED Docker images. 351 [OK]
docker.io docker.io/bitnami/node Bitnami Node.js Docker Image 45 [OK]
docker.io docker.io/appsvc/node Azure App Service Node.js dockerfiles 14 [OK]
docker.io docker.io/circleci/node Node.js is a JavaScript-based platform for s... 110
docker.io docker.io/prom/node-exporter 193 [OK]
docker.io docker.io/calico/node Calico's per-host DaemonSet container image.... 19 [OK]
docker.io docker.io/library/mongo-express Web-based MongoDB admin interface, written w... 754 [OK]
docker.io docker.io/iron/node Tiny Node image 29
docker.io docker.io/bitnami/node-exporter Bitnami Node Exporter Docker Image 2 [OK]
docker.io docker.io/kkarczmarczyk/node-yarn Node docker image with yarn package manager ... 48 [OK]
docker.io docker.io/nodered/node-red Low-code programming for event-driven applic... 175
docker.io docker.io/nodecg/nodecg Create broadcast graphics using Node.js and ... 1 [OK]
docker.io docker.io/selenium/node-chrome 213 [OK]
docker.io docker.io/appsvctest/node node build 0 [OK]
docker.io docker.io/library/iojs io.js is an npm compatible platform original... 135 [OK]
docker.io docker.io/camptocamp/node-collectd rancher node monitoring agent 0 [OK]
docker.io docker.io/ppc64le/node Node.js is a JavaScript-based platform for s... 2
docker.io docker.io/testim/node-chrome Selenium Chrome Node + Testim Extension 0 [OK]
docker.io docker.io/digitallyseamless/nodejs-bower-grunt Node.js w/ Bower & Grunt Dockerfile for tru... 48 [OK]
docker.io docker.io/cusspvz/node ? Super small Node.js container (~15MB) b... 8 [OK]
docker.io docker.io/ogazitt/node-env node app that shows environment variables 2
docker.io docker.io/basi/node-exporter Node exporter image that allows to expose th... 8 [OK]
docker.io docker.io/selenium/node-firefox 136 [OK]
docker.io docker.io/tarampampam/node Docker image, based on node, with some addit... 2 [OK]
You can filter only images whose distributor is official with --filter = is-official.
$ podman search node --filter=is-official
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/node Node.js is a JavaScript-based platform for s... 9152 [OK]
docker.io docker.io/library/mongo-express Web-based MongoDB admin interface, written w... 757 [OK]
docker.io docker.io/library/iojs io.js is an npm compatible platform original... 135 [OK]
And like Docker, you can bring the image locally with podman pull <image name>.
$ podman pull docker.io/library/node
Trying to pull docker.io/library/node...
Getting image source signatures
Copying blob de30e8b35015 done
Copying blob 419e7ae5bb1e done
Copying blob 7ec8a0667334 done
Copying blob 848839e0cd3b done
~~~~~ Omitted ~~~~~~~~
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/node latest 784e696f5060 2 weeks ago 972 MB
The podman container image is stored on Red Hat's official website. https://catalog.redhat.com/software/containers/explore)
Start container
Like docker, podman can start a container with podman run.
$ podman run -it --rm node bash
root@cc0bf2c6cc65:/# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
VERSION_CODENAME=stretch
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
Build image
You can build the image with the buildah command, and you can also build the Dockerfile with the buildah bud command. (There is an official Tutorial, so please refer to that)
By the way, you can also display the list of images pulled by podman with buildah images.
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/johndoe/webserver latest 6d36abc8f72f 24 minutes ago 245 MB
registry.access.redhat.com/ubi8/ubi latest a1f8c9699786 5 weeks ago 211 MB
registry.access.redhat.com/ubi8/ubi-minimal latest 86c870596572 5 weeks ago 146 MB
$ buildah images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/johndoe/webserver latest 6d36abc8f72f 24 minutes ago 245 MB
registry.access.redhat.com/ubi8/ubi latest a1f8c9699786 5 weeks ago 211 MB
registry.access.redhat.com/ubi8/ubi-minimal latest 86c870596572 5 weeks ago 146 MB
Build with the buildah command for the Dockerfile that has the following configuration.
# ls
Dockerfile myecho
# cat Dockerfile
FROM registry.access.redhat.com/ubi8/ubi:latest
ADD myecho /usr/local/bin
ENTRYPOINT "/usr/local/bin/myecho"
# cat myecho
echo "This container works!"
# chmod 755 myecho
# ./myecho
This container works!
After creating the Dockerfile, run the buildah bud -t fedora-httpd . command.
The image is built according to the statements in the file.
Let's run the container when the build is complete.
$ buildah images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/myecho-container latest 5098f73df28e 50 seconds ago 211 MB
$ podman run localhost/myecho-container
This container works!
As an aside, in the buildah tutorial, it seems that you can start the container with buildah run, but it failed.
$ buildah run localhost/myecho-container
command must be specified
ERRO exit status 1
Delete container, image
Like docker, you can delete containers and images with the rm option.
$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
06a79ab009f3 registry.access.redhat.com/ubi8/ubi:latest /bin/bash 3 minutes ago Exited (1) About a minute ago mystifying_jepsen
e8a1c6fbc91f localhost/johndoe/webserver:latest -D FOREGROUND 29 hours ago Exited (135) 28 hours ago 0.0.0.0:8080->80/tcp agitated_morse
$ podman rm e8a1c6fbc91f
e8a1c6fbc91f9252f13a34e6a2275078cdadef196e135bb32330784b8d012ad3
$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
06a79ab009f3 registry.access.redhat.com/ubi8/ubi:latest /bin/bash 4 minutes ago Exited (1) 3 minutes ago mystifying_jepsen
Images can be deleted with the rmi option as well.
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/johndoe/webserver latest 6d36abc8f72f 29 hours ago 245 MB
registry.access.redhat.com/ubi8/ubi latest a1f8c9699786 5 weeks ago 211 MB
registry.access.redhat.com/ubi8/ubi-minimal latest 86c870596572 5 weeks ago 146 MB
docker.io/library/fedora latest a368cbcfa678 7 weeks ago 189 MB
$ podman rmi docker.io/library/fedora
Untagged: docker.io/library/fedora:latest
Deleted: a368cbcfa6789bc347345f6d19132afe138b62ff5373d2aa5f37120277c90b54
$ podman rmi 86c870596572
Untagged: registry.access.redhat.com/ubi8/ubi-minimal:latest
Deleted: 86c870596572a5b4fe016f4fb7ae9d181e88df6ac91d2cb15250c5e053cfad15
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/johndoe/webserver latest 6d36abc8f72f 29 hours ago 245 MB
registry.access.redhat.com/ubi8/ubi latest a1f8c9699786 5 weeks ago 211 MB
Creating a Kube pod yaml file
Another feature of Podman is that you can use podman generate to create Kubernetes pods files.
Run mariadb's container process to output Kubernetes yaml with the `podman generate'command, then drop it into a file.
$ podman run -d -e MYSQL_USER=user -e MYSQL_PASSWORD=pass \
> -e MYSQL_DATABASE=db -p 3306:3306 --name mymariadb rhscl/mariadb-102-rhel7
Trying to pull registry.access.redhat.com/rhscl/mariadb-102-rhel7...
Getting image source signatures
Copying blob 9e7a6dc796f0 done
Copying blob e7021e0589e9 done
Copying blob fc5b206e9329 [======================================] 72.7MiB / 72.7MiB
Copying blob 98b39311ee6a done
Copying config 5ca39d258f done
Writing manifest to image destination
Storing signatures
8e994c65e7a24febfa57c6cc79c44c7fce37c8593a087d9efb5c45b994169b48
$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8e994c65e7a2 registry.access.redhat.com/rhscl/mariadb-102-rhel7:latest run-mysqld 41 seconds ago Up 40 seconds ago 0.0.0.0:3306->3306/tcp mymariadb
$ podman generate kube mymariadb > mymariadbkube.yaml
# Generation of Kubernetes YAML is still under development!
#
# Save the output of this file and use kubectl create -f to import
# it into Kubernetes.
#
# Created with podman-1.9.3
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2020-08-29T05:37:11Z"
labels:
app: mymariadb
name: mymariadb
spec:
containers:
- command:
- run-mysqld
env:
- name: PATH
value: /opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: TERM
value: xterm
- name: HOSTNAME
- name: container
value: oci
- name: STI_SCRIPTS_URL
value: image:///usr/libexec/s2i
- name: MYSQL_PASSWORD
value: pass
- name: ENABLED_COLLECTIONS
value: rh-mariadb102
- name: PROMPT_COMMAND
value: . /usr/share/container-scripts/mysql/scl_enable
- name: HOME
value: /var/lib/mysql
- name: ENV
value: /usr/share/container-scripts/mysql/scl_enable
- name: PLATFORM
value: el7
- name: STI_SCRIPTS_PATH
value: /usr/libexec/s2i
- name: MYSQL_USER
value: user
- name: MYSQL_DATABASE
value: db
- name: DESCRIPTION
value: MariaDB is a multi-user, multi-threaded SQL database server. The container
image provides a containerized packaging of the MariaDB mysqld daemon and
client application. The mysqld server daemon accepts connections from clients
and provides access to content from MariaDB databases on behalf of the clients.
- name: SUMMARY
value: MariaDB 10.2 SQL database server
- name: APP_ROOT
value: /opt/app-root
- name: MYSQL_PREFIX
value: /opt/rh/rh-mariadb102/root/usr
- name: APP_DATA
value: /opt/app-root/src
- name: BASH_ENV
value: /usr/share/container-scripts/mysql/scl_enable
- name: CONTAINER_SCRIPTS_PATH
value: /usr/share/container-scripts/mysql
- name: MYSQL_VERSION
value: "10.2"
image: registry.access.redhat.com/rhscl/mariadb-102-rhel7:latest
name: mymariadb
ports:
- containerPort: 3306
hostPort: 3306
protocol: TCP
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities: {}
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 27
runAsUser: 27
seLinuxOptions: {}
workingDir: /opt/app-root/src
status: {}
After that, you can create Pods for this yaml file with the kubectl command.
kubectl create -f mymariadbkube.yaml
Summary
I explained the operation of various tools. These two commands are tools that work inside Ansible-bender introduced in the next article, and you can create a container image with Ansible. You will be able to do it. I haven't heard much about Podman and Buildah yet, but I think it will be attracting attention as a container management tool to replace Docker in the future, so I would like to deepen my understanding and touch it firmly.