class: center, middle # Container Tooling by Red Hat ## Franta Lachman ## Tomas Tomecek --- class: center, middle # Docker done right --- class: center, middle # ~~Docker done right~~ ## (You make your own opinion :) --- class: center, middle # Who's Franta and Tomas? --- # The tools * podman * buildah * skopeo * udica * toolbox * ~~CRI-O~~ -- * Demos: https://github.com/containers/Demos.git --- # The background tools * crun * bubblewrap * fuse-overlayfs * conmon * containers/{storage,image} --- class: center, middle ![](https://github.com/containers/libpod/raw/master/logo/podman-logo.png) --- class: center, middle
--- # podman (T) * [github.com/containers/libpod](https://github.com/containers/libpod) * "The manager of pods" * The same CLI as docker command --- # Rootless containers (T) * Credits: * https://www.slideshare.net/AkihiroSuda/rootless-containers -- * Running a container as an unprivileged user -- * Very tricky to be done on the system level * User namespaces (UID mapping), Filesystem, Networking -- * Demo `github.com/containers/Demos/security` --- # Let's talk security * Credits: * https://devconfcz2020a.sched.com/event/YOo2/the-state-of-container-security -- * Security is not very popular. * Security hates user experience (`setenforce 0`). -- * `podman run --privileged` vs. `podman run --cap-drop` -- * SELinux blocked most of docker's CVEs * breakouts of containers (filesystem based) --- # Oci-seccomp-bpf-hook * https://github.com/containers/oci-seccomp-bpf-hook * Generate a seccomp profile based on live container behaviour. -- * Also, what is seccomp? -- * No demo, the tool is not packaged, yet. --- # udica .left-column[ * [Credits](https://devconfcz2020a.sched.com/event/YOnA/custom-selinux-container-policies-in-openshift#) * Examines container configuration * Generate SELinux policy * Demo: `Demos/security/SELinuxUdica` ] .right-column[ ![](https://github.com/containers/udica/raw/master/logo/logo-udica-notext.png) ] --- # Features in podman and not in docker (F) - [upstream table](https://github.com/containers/libpod/blob/master/transfer.md#missing-commands-in-docker) - UX enhancements - not-merged proposals for `docker` - pod manipulation --- # Features in podman and not in docker I/VII * podman container checkpoint * podman container restore ``` Checkpoints one or more running containers. The container name or ID can be used. Usage: podman container checkpoint [flags] CONTAINER [CONTAINER...] Examples: podman container checkpoint --keep ctrID podman container checkpoint --all podman container checkpoint --leave-running --latest ``` --- # Features in podman and not in docker II/VII * podman container cleanup * podman container exists * podman container runlabel * podman healthcheck run ``` Examples: podman container cleanup --latest podman container cleanup ctrID1 ctrID2 ctrID3 podman container cleanup --all podman container exists containerID podman container exists myctr || podman run --name myctr [etc...] ``` --- # Features in podman and not in docker III/VII * podman image exists * podman image sign | podman image trust * podman image tree ``` $ podman image tree --whatrequires e7d92cdc71fe Image Layers └── ID: 5216338b40a7 Size: 5.857MB Top Layer of: [docker.io/library/alpine:latest] ├── ID: c07692cd6afc Size: 61.23MB │ ├── ID: 680cc73971b8 Size: 0B │ └── ID: 79328d443872 Size: 0B ├── ID: b876d8a9551e Size: 61.23MB │ ├── ID: a2cdfa446b03 Size: 0B │ └── ID: 003c10d311c8 Size: 0B └── ID: 92a673328d5d Size: 61.23MB Top Layer of: [localhost/hello:latest] ├── ID: 33a5ba140a3f Size: 0B └── ID: 45b17e59ed3b Size: 0B ``` --- # Features in podman and not in docker IV/VII * podman mount * podman umount ``` (Un)mount a working container's root filesystem. ``` --- # Features in podman and not in docker V/VII * podman varlink ``` Run varlink interface Description: Run varlink interface. Podman varlink listens on the specified unix domain socket for incoming connects. Tools speaking varlink protocol can remotely manage pods, containers and images. Usage: podman varlink [flags] [URI] Examples: podman varlink unix:/run/podman/io.podman podman varlink --timeout 5000 unix:/run/podman/io.podman ``` --- # Features in podman and not in docker VI/VII * podman system service ``` Run API service Description: Run an API service Enable a listening service for API access to Podman commands. ``` --- # Features in podman and not in docker VII/VII * `podman play` * `podman play kube` * `podman generate` * `podman generate kube` * `podman pod *` --- # podman → k8s (T) * podman can create definitions based on live containers * `podman generate kube` * `podman generate systemd` -- * Demo! --- # skopeo (T) .left-column[ * move container images around * registry, dockerd, containers/storage, a file * transports ``` skopeo inspect docker://docker.io/usercont/packit { "Name": "docker.io/usercont/packit", "Digest": "sha256:4918b3a8511b7ca91... "RepoTags": [ "latest", "prod" ], "Created": "2020-02-19T15:24:13.408449229Z", ``` ] .right-column[
] --- # buildah (F) .left-column[ * shell-based container builder tool * no container runtime deamon needed * simple, efficient ] .right-column[ ![](https://github.com/containers/buildah/raw/master/logos/buildah-logomark_large_transparent-bg.png) ] --- # buildah: benefits * no need for build/install requirements in the final image * read/write volumes during the build * rootless usage * buildah images available at [quay.io/repository/buildah/stable](https://quay.io/repository/buildah/stable) * `buildah build-using-dockerfile` --- # toolbox (F) *Toolbox is a tool that offers a familiar package based environment for developing and debugging software that runs fully unprivileged using Podman.* .right-column[ ![](https://raw.githubusercontent.com/containers/toolbox/master/data/logo/toolbox-logo-landscape.svg?sanitize=true) ] .left-column[ ``` [user@hostname ~]$ toolbox create Created container: fedora-toolbox-30 Enter with: toolbox enter [user@hostname ~]$ toolbox enter ⬢[user@toolbox ~]$ ``` ] --- # You've seen these demos * intro (F) * rootless containers (T) * building images (F) * basic * speeding up builds * security (T) * basic * udica * ~~from podman to k8s~~ --- class: middle # The end *
[github.com/TomasTomecek/speaks](https://github.com/TomasTomecek/speaks) *
[github.com/lachmanfrantisek](https://github.com/lachmanfrantisek) *
[gitlab.com/lachmanfrantisek](https://gitlab.com/lachmanfrantisek) *
[github.com/containers](https://github.com/containers) *
[@TomasTomec](https://twitter.com/TomasTomec) *
[blog.tomecek.net](https://blog.tomecek.net/)