Container engines to full pod power!
How to get down with the Podman and blast off with some containers.
DAMAGE LIMITATION “Because all applications can be run by regular users without root, malicious applications can’t break into important parts of the system.”
To non-Linuxy people, Podman is either the shady guy selling knock-off vape supplies outside your local youth club, or some kind of third-tier superhero with the power to control dolphins with his mind. An outside possibility would be the frozen refugee from an intergalactic war, discovered in his icy refuge below Antarctica.
In the context of this magazine, however, Podman is none of these things. It is, in fact, the latest and greatest containerisation solution for Linux. All the cool kids are using it to develop and deploy transferable applications on their systems, and you should, too. Originally developed by Red Hat, Podman is a container engine, and its containers are known, somewhat unsurprisingly, as pods. Download a Podman application, and you get one infracontainer, which maintains namespaces and manages everything, along with other containerised applications.
If you’re used to other container management systems, such as Docker, you’ll be used to occasionally running things using sudo, or interacting with rootowned daemons such as the Docker engine. While this is generally fine, allowing access to system processes can introduce all kinds of potential security nightmares to your system.
Podman doesn’t employ root-owned daemons, and a regular user can interact with, build and deploy images, and use containers without ever needing escalated privileges. It manages this by forking itself into a child process, which then becomes the container. Because all applications can be run by regular users without root, malicious applications can’t break into important parts of the system, and any damage is limited to the one user. It may suck to be that user, but at least you’re not having to disinfect your hard drive with bleach.
If you’re administering a system used by other people, the rootless approach has the added benefit of letting users deploy software safely without dragging the admin out of bed, and without taking the easy, but insecure, option of adding them to the Docker group.
With Podman’s obvious advantages summarised, it’s time to actually install Podman on your system.
Fortunately, this isn’t too much of a chore, because most recent distributions contain Podman in their default repositories.
Open a terminal either by selecting it from your system menu or by hitting the appropriate key binding (usually Ctrl+Alt+T).
Update your system in the usual way. On Debianbased distros, enter:
$ sudo apt update && sudo apt upgrade -y
Now install Podman with:
$ sudo apt install podman
If you use Arch or its derivatives, use:
$ sudo pacman -S podman
Or, for members of the Fedora family, enter:
$ sudo yum -y install podman
Installation should only take a few seconds depending on your connection speed. You can verify
Podman is installed with:
$ podman -v
That was easy.
Despite all of the behind-the-scenes wizardry that makes Podman a superior and more secure alternative to Docker, the two orchestration tools both exist for the same purpose – managing containers – and both adhere to the Open Container Initiative (OCI). This open governance structure is responsible for setting standards for the Runtime Specification, Image Specification and Distribution Specification of containers. In practice, this means that anything that was designed to run with Docker should also run with Podman and vice versa.
Even the commands used to manage your containers and images are virtually identical, so it’s relatively easy to swap your container orchestration over from Docker to the newer, cooler, rootless Podman instead.
Your very first Podman
PiGallery2 is a directory first image gallery for Linux that you access through a web browser. You can run it on your local machine, on a VPS or on a Raspberry Pi. It’s one of the simplest and most useful pieces of selfhosted software we’ve come across. If you have a directory of images, and want to be able to view them on your PC, on your network or remotely, PiGallery2
generates thumbnails, extracts metadata, shows maps of where the images were taken, and more.
It’s also super-lightweight, and easy to deploy with Podman, making it the perfect candidate for this tutorial.
To start with, make a new directory for PiGallery2 to live in, then move into your new directory:
$ mkdir pigallery2 && cd pigallery2
Create new directories for PiGallery2 to store configs, temporary files and database:
$ mkdir config db temp
In the following command, make sure you set the actual path for your images directory:
$ podman run -p 1400:80 -e NODE_ENV=production -v ~/pigallery2/config:/app/data/config -v ~/pigallery2/:/ app/data/db -v
One important way the above command differs from the official PiGallery2 documentation is that by default, Podman doesn’t assume the images you want to download are located on Docker Hub.
While the GitHub docs merely state to pull the bpatrik/pigallery2:latest image, with Podman, you need to prefix the image name with docker.io. In this example, the complete image name is docker.io/ bpatrik/pigallery2:latest.
Another thing you need to take into account is that unlike Docker, Podman runs without root privileges. This means that some of the things you might like to do are not available to you out of the box. Eagle-eyed readers will note that we have specified port 1440 in our Podman command, rather than the more customary port 80. This is because 80 is a privileged port and, being rootless, Podman is unable to use this.
You can get around this by specifying a port number over 1024, as we did, or make port 80 unprivileged with:
$ sudo echo ‘net.ipv4.ip_unprivileged_port_
start=80’ >> /etc/sysctl.conf
This probably isn’t the best idea, though. When you hit Enter, Podman downloads the necessary images and sets up containers for PiGallery2. When it completes, feel free to close your terminal window.
Open a browser and enter: localhost:1400
to reach the admin page. Log in with username admin, and the password admin. Remember to change both of these before you expose your private photos to the internet.
By default, PiGallery2 shows your images in date ascending order. You can change this in Settings.
To control your containers, you need to know the container ID or name, so open a terminal and enter:
$ podman ps
The output lists container IDs, the image name, uptime, ports in use, and a supposedly friendly name. In our case, the name was beautiful_heyrovsky.
To bring your containers down, enter:
$ podman stop