Podman - Getting started - Part 1
This miniseries will be in multiple parts, starting from the basic of installing podman on ubuntu to more advanced features and management of container and pods, all aimed at running podman in userspace mode, also called rootless mode. At the end of this miniseries i will go through some of the difference between rootless and rootful and it's implication to security and what you can do in rootful vs rootless.
I will be using Ubuntu 22.04 LTS as the base for this series but most podman commands should work across different linux flavours.
In this first part i will explain some of the basic things around podman and it configuration files, then as we continue on we will be installing, learning the commands and dive into a little more advanced management options.
Basic container concept
Podman is a container runtime like Docker where you can download and run pre built machines with specialized software within minutes and with a small footprint since the containers are often streamlined and all excessive unneeded software is removed.
Podman & Security
Podman differs on one major point in regards to Docker, it do not require a system service that runs at root level to function, it has been built with security in mind, making it possible to run in userspace with higher security control.
This makes it even possible to run containers as several users on the same server, note that they cannot use the same ports since the are all exposed on same host network ip, this is true even if running in a single userspace, since everything is exposed through the host network, but more on that in later parts.
In podman rootless mode avery configuration, settings och container files reside under the user where it is run. These are the 3 folders make up the base for podman and they all reside in your users home directory.
All configuration files reside within each userspace when not running in root mode.
By default some configuration files do not exist since the settings are default to podman, it has them internally stored, but it is possible to change different settings by creating a configuration file, podman will read these automatically.
In usermode all initial network configuration is done automatically by podman and often nothing has to be configured manually.
The file for network settings resides in
.config/cni/net.d/87-podman.conflist, it defines the internal network that your containers and pods run in which in turn is NAT:ed to your host network interface.
We will look at each part of this file in later part, just know for now that it exists.
Volumes is a way of connecting a container to a storage space outside of it's own bubble, this is useful when you have files that needs to survive through upgrades or you want to serve your own files, like for instance, you run a web server and want it to present your site, then a volume is a requirement.
Default storage location for volumes and container images are under
.local/share/containers/storage/ and this can be changed by creating a file called
.config/containers/, this file do not exist by default and is only needed when you want to change default storage location or it's options, we will cover this in a later part.
Repositories are a key component for podman and other container software, it's from these you fetch the images used for running a container.
The configuration file
.config/containers/registries.conf do not exists by default but you can still fetch images without it, the file adds an extra layer of options in regards to container images and we will talk more about it in a later parts.
Thoughts on the way
Podman or a container system in general takes some time to learn but when you start to get the hang of it you will find that it is a really good complement to running ordinary servers, because not every application needs a full grown server to run, eating resources that it really do not need.
Taking a first step into learning about containers can and is a bit confusing at first but things will get clearer you more you dive into it, So take your time and start at a small scale, experiment and test it, and foremost do not give up.