There are so many tools out there in the market that help us manage containers, and Docker is one of them. Like Docker, podman is also a tool to manage containers. Engineers of coreOs develop Podman. Podman has some advantages over Docker and provides a more secure environment to run containers. podman rootless, and one of the significant advantages is offered by podman.
This article will explain what a container is and why use podman to create/deploy containers. After that, we will see the advantages and limitations of using podman rootless, and finally, we will see a practical example to deploy rootless containers. Before proceeding further, please make sure podman is installed in your system. You can follow this link to set up podman. Before deep diving, let’s go through some of the basics.
What is a container?
A container is a standard unit of code that packages all the application code and dependencies. Containers are very lightweight and contain everything needed to run an application. One of the main advantages of using a container is that it will behave and function the same way whether you are deploying it in production or your test machine. Below are some of the other advantages of using containers:
- Containers are very lightweight, so they require fewer resources than traditional applications.
- As the containers are very light, they take very little time to boot up compared to traditional applications.
- The other advantage of using containers is that we can run applications as microservices. We don’t need to deploy the entire application into a single container.
Now that we have a basic understanding of containers let’s further understand how podman helps us in container deployment.
What is podman
Podman is an open-source, OCI(open container initiative) based container engine. Like Docker, we can also manage our containers using podman. Like Docker, podman also has a command-line interface. Redhat engineers designed Podman while keeping Docker in mind; therefore, the commands in podman are similar to Docker. If you are comfortable with Docker, you can quickly start working on podman.
Podman is growing in popularity because podman has certain advantages over Docker. Some of the benefits are:
- In docker, to run any container, we pass the command in CLI, and then CLI connects with the docker daemon to process the request, which makes docker a single point of failure. If the daemon process got killed, all the subsequent child processes would lose track. Unlike docker podman does not have a demon; it has a daemonless architecture. The main advantage of having daemonless architecture is that users can directly manage the containers without any root privileges.
- Another advantage of using podman is that we can run our containers rootless. I will be explaining rootless in detail in some time.
- The most important advantage of using podman is that it provides us with more security than a container running with docker.
Now we have a basic idea about podman and why we use podman to manage our containers. Let’s deep dive and understand the advantages of using rootless containers.
What are rootless containers?
A rootless container means running a container without root privileges. Podman gives us the flexibility to run containers without having root access to machines. There are multiple options available in podman to run containers. I have tried to list all the possibilities in tabular format.
- We can run the container as the root and process inside the container as the root user.
- We can run the container as root and process it inside the container by another user by specifying the user while running the container.
- We can run the container as user X(other than root) and process inside the container as root.
- We can run both containers and processes inside the container as user X.
Maximum security can be achieved if we choose option 4. Please follow this link to get more information.
Advantage of Running podman rootless
There are many advantages of running a container as rootless. Some of the important ones I have mentioned below:
- A rootless container can allow users who do not have admin access to run and manage containers. It also gives us the flexibility to restrict user access and not provide admin access to everyone who wishes to run containers.
- There is separate isolation in the container environment as containers can run with individual accounts.
- Another significant advantage of using podman as rootless is that it gives us additional security while running containers. Even if the container is compromised, the hacker won’t get admin access to the host.
Now let’s discuss some of the disadvantages of using rootless podman containers.
Limitations/shortcomings of podman rootless
Even though rootless provides some benefits over the traditional docker containers, it has some disadvantages. Some of them are:
- Sometimes the container created by Podman can bind to ports < 1024, and sometimes kernel does not allow processes to low ports.
- It is challenging to add storage while running a container as rootless.
- Podman as rootless does not support NFS, and Only VFS is supported.
- Some system unit configuration does not work with rootless containers.
These are some of the disadvantages of rootless containers. I hope some of them will be solved soon in future releases.
Now we have a pretty good idea about running a rootless podman container. Now let’s apply all the knowledge and deploy a rootless container.
A practical example of rootless podman
Before proceeding further, make sure podman is running in your system. For this demo, I will be running a container as root and process inside the container as the nobody user.
Check the podman version
$ podman --version podman version 0.3.2-dev
Now it looks like your setup is properly working, Now let’s connect to the podman VM and verify the user. For this demo, I have connected to podman as a root user.
$ whoami root
Now Let’s pull an httpd image.
$ podman pull httpd Trying to pull docker.io/library/httpd:latest... Getting image source signatures Copying blob sha256:69692152171afee1fd341febc390747cfca2ff302f2881d8b394e786af605696 25.89 MB / 25.89 MB [======================================================] 3s Copying blob sha256:7284b4e0cc7b197edc206f815c5b24e67b9ed29abd9bbd8ae4bfdd5540bec6ec 176 B / 176 B [============================================================] 0s Copying blob sha256:3678b2d55ccdc6dcbe11cf1ea518ab7426ab37656d94213f637bd843dc6b6ca4 2.67 MB / 2.67 MB [========================================================] 0s Copying blob sha256:ab492cf0b2a4f47ba02a478521476bf00c2740f444fc658148b7dc919ed64a7f 23.34 MB / 23.34 MB [======================================================] 2s Copying blob sha256:991f7f97a9d859baba12204fea641d5644a2f988246e4554836825b44fcc2bcb 298 B / 298 B [============================================================] 0s Copying config sha256:f3cffeea581b3306a13d80b25a437f73f767b8f27afdb29393b3764b9dfaea69 8.50 KB / 8.50 KB [========================================================] 0s Writing manifest to image destination Storing signatures f3cffeea581b3306a13d80b25a437f73f767b8f27afdb29393b3764b9dfaea69 $
Verify if the image was pulled successfully
$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/httpd latest f3cffeea581b 5 days ago 142MB
Here we can see the httpd image gets successfully pulled. Now let’s create a container.
Create a container using podman
Now let’s run the httpd container by user backup
$ podman run -d -u nobody httpd 29575fb3443d38e1b275a7e60d4a201a9352c5bfa037ef6eaac960f48b4b1184
Let’s verify if the container is running
$ podman ps CONTAINER ID IMAGE COMMAND CREATED AT STATUS PORTS NAMES 29575fb3443d httpd httpd-foreground 2021-05-17 13:18:13 +0000 UTC Up 8 seconds ago unruffled_wozniak
Verify podman container user
Now let’s go inside the container and verify the user with which this container is running.
podman exec -t 29575fb3443d /bin/bash nobody@29575fb3443d:/$
As you can see, the bash shell prompted with nobody@ nobody user.
Now let’s run the whoami command inside the container and verify the user
nobody@29575fb3443d:/$ whoami nobody nobody@29575fb3443d:/$
Congratulation, You have successfully run a container rootless.
In the same way, you can try other combinations to deploy pods using podman.
I hope you have found this article useful. We have started with the basics of rootless containers, deep dive, and understanding the need for rootless containers. We also explored the advantages and disadvantages of podman rootless containers, and finally, we spun up a rootless container.
If you find this article, please do let me know in the comment box.