podman run --rm -it registry.access.redhat.com/ubi8 /bin/bash
In this exercise, you’ll learn the fundamentals of container images, including how to run them and how to see what is inside of a container. Container storage volumes will be discussed, showing how to mount external file systems, with useful functions and data. We will also discuss container metadata and explain what types of information you can get from them.
What you can do with container images, using 'podman run'
When you execute the podman run
command, a new container is created, from a container image. That container consists of the image contents, plus any features based on additional selected options.
The command you pass on the podman run
command line considers the inside of the container its running environment. So, by default, very little of the host system is visible. For example, by default, the running application sees:
The file system provided by the container image.
A new process table from inside the container (no processes from the host are visible).
New network interfaces (By default, a separate container network interface provides a private IP address to each container via DHCP.)
Additionally you can also…
Make a directory from the host available to the container, from the podman run
command line:
Map network ports from the container to the host.
Limit the amount of memory the container can use, or expand the CPU shares available to the container.
podman run --rm -it registry.access.redhat.com/ubi8 /bin/bash
Trying to pull registry.access.redhat.com/ubi8...Getting image source signatures Copying blob sha256:e0f71f706c2a1ff9efee4025e27d4dfd4f328190f31d16e11ef3283bc16d6842 71.45 MB / ? [--------------------=---------------------------------------] 7s Copying blob sha256:121ab4741000471a7e2ddc687dedb440060bf9845ca415a45e99e361706f1098 1.22 KB / ? [----------------------------------------------------=--------] 0s Copying config sha256:7a840db7f020be49bb60fb1cc4f1669e83221d61c1af23ff2cac2f870f9deee8 6.21 KB / 6.21 KB [========================================================] 0s Writing manifest to image destination Storing signatures
NOTE: When you see a prompt like the following, you are in the container:
|
ls
whoami
uname -a
exit
to exit.exit
In this section, we will mount a system volume to a container and use commands that are not present in the container.
Note: The following command will fail as the "ip" command is not present in the base rhel7 container image.
Container images are very minimal installs of their referenced operating system, so commonly-used commands may not be present.
podman run --rm -it ubi8/python-39 /usr/sbin/lshw
container create failed: container_linux.go:348: starting container process caused "exec: \"/usr/sbin/lshw\": stat /usr/sbin/lshw: no such file or directory" : internal libpod error
However, if we use -v <source>:<destination>
, the <source>
file or directory is mapped from the container host to the inside of the container. Running the same command with the -v
volume switch will run the ip command successfully:
podman run -v /usr/sbin:/usr/sbin --rm -it ubi8/python-39 /usr/sbin/lshw
*-input:7 product: Power Button physical id: 8 logical name: input2 logical name: /dev/input/event2 capabilities: platform WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
Volume mounts can be used for logging to the container host for event retention.
podman run -v /dev/log:/dev/log --rm ubi8 logger Testing logging to the host
Search for the container event on the container host log, using the following command.
journalctl | grep "Testing logging"
May 26 03:28:42 ip-10-0-2-6.ec2.internal root[25499]: Testing logging to the host
The -w switch specifies the working directory where binaries are executed. If unspecified, the root directory (/) is used.
sudo mkdir -m 775 /opt/rhel_data
sudo chgrp adm /opt/rhel_data
podman run -d -p 8080:8000 --name="python_web" \
-w /opt \
-v /opt/rhel_data:/var/www/html ubi8/python-39 \
-- python -m http.server -d /var/www/html
ps
switchpodman ps
CONTAINER ID IMAGE COMMAND CREATED AT STATUS PORTS NAMES fcd06aee9533 registry.access.redhat.com/ubi8/python-39:latest python -m http... 2021-05-23 17:21:40 +0000 UTC Up 45 seconds ago 0.0.0.0:8080->8000/udp, 0.0.0.0:8080->8000/tcp python_web
ll /opt/rhel_data/
total 0
curl localhost:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html> <title>Directory listing for /</title> <body> <h2>Directory listing for /</h2> <hr> <ul> </ul> <hr> </body> </html>
/opt/rhel_data
directory.for i in {1..10}; do touch /opt/rhel_data/file${i}; done
/opt/rhel_data
ll /opt/rhel_data/
total 0 -rw-r--r--. 1 root root 0 Feb 14 22:38 file1 -rw-r--r--. 1 root root 0 Feb 14 22:38 file10 -rw-r--r--. 1 root root 0 Feb 14 22:38 file2 -rw-r--r--. 1 root root 0 Feb 14 22:38 file3 -rw-r--r--. 1 root root 0 Feb 14 22:38 file4 -rw-r--r--. 1 root root 0 Feb 14 22:38 file5 -rw-r--r--. 1 root root 0 Feb 14 22:38 file6 -rw-r--r--. 1 root root 0 Feb 14 22:38 file7 -rw-r--r--. 1 root root 0 Feb 14 22:38 file8 -rw-r--r--. 1 root root 0 Feb 14 22:38 file9
/opt/rhel_data
volume:curl localhost:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html> <title>Directory listing for /</title> <body> <h2>Directory listing for /</h2> <hr> <ul> <li><a href="file1">file1</a> <li><a href="file10">file10</a> <li><a href="file2">file2</a> <li><a href="file3">file3</a> <li><a href="file4">file4</a> <li><a href="file5">file5</a> <li><a href="file6">file6</a> <li><a href="file7">file7</a> <li><a href="file8">file8</a> <li><a href="file9">file9</a> </ul> <hr> </body> </html>
Container images have metadata associated with them that can describe processes and network settings. The following command returns a little over 300 lines of JSON data. The output below is truncated for brevity. Feel free to read over the metadata.
podman inspect python_web
[{ "ID": "fcd06aee95338748ab86faddd696c2cda212e7797b1e44428434da4a0d0b2b45", "Created": "2018-05-23T17:21:40.315773016Z", "Path": "python", "Args": [ "-m", "http.server", "-d", "/var/www/html" ], ... "Name": "python_web", "RestartCount": 0, "Driver": "overlay", "MountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c744,c884", "ProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c744,c884", ...
You can use a dot notation to parse the metadata returned by 'podman inspect' and use it in your scripting, to quickly access properties you need, as shown in the following example.
podman inspect -f {{.State.StartedAt}} python_web
2023-08-10 22:49:35.001785165 -0400 EDT
You can see the use of cgroups when attached to the container tty.
podman run --rm -it ubi8 bash
Listing the contents of /proc/1/cgroup
will show the cgroup labels.
cat /proc/1/cgroup
12:perf_event:/ 11:pids:/user.slice/user-1000.slice/session-8.scope 10:rdma:/ 9:freezer:/ 8:devices:/system.slice/sshd.service 7:net_cls,net_prio:/ 6:cpu,cpuacct:/ 5:memory:/user.slice/user-1000.slice/session-8.scope 4:hugetlb:/ 3:blkio:/system.slice/sshd.service 2:cpuset:/ 1:name=systemd:/user.slice/user-1000.slice/user@1000.service/user.slice/podman-295131.scope/f5eacdea88411f2cd160e4a027f9f1bbb49f68d3735b2b99352ab73b7b844fb1
Type exit
to exit the container. Running the same command from your student system, outside of the container context, will list the same top level groups without labels.
cat /proc/1/cgroup
12:perf_event:/ 11:pids:/init.scope 10:rdma:/ 9:freezer:/ 8:devices:/ 7:net_cls,net_prio:/ 6:cpu,cpuacct:/ 5:memory:/init.scope 4:hugetlb:/ 3:blkio:/ 2:cpuset:/ 1:name=systemd:/init.scope
Domain | ||
Workshop | ||
Student ID |