DEV Community: alfiantirta85

Container and Podman

alfiantirta85 — Sun, 12 Feb 2023 08:46:43 +0000

Container

containers are a set of one or more processes that are isolated from the rest of the system and a way of packaging applications to simplify deployment and management. the many benefits of containers such as security, storage, and network isolation. containers isolate application libraries and runtime resources from the host operating system or hypervisor and vice versa.

how containers interact with the underlying hardware and operating system?

Runs directly on the operating system, sharing hardware and operating system resources across all containers on the system. to keep apps light and running fast in parallel
Share the same operating system kernel, isolate container application processes from the rest of the system, and use any software that is compatible with that kernel
Requires significantly less hardware resources than virtual machines which makes it quick to start and stop and reduces storage requirements

Containers are an efficient way to provide hosted application usability and portability because they can be easily moved from one environment to another, but containers are usually temporary or ephemeral.

Container is run from a container image which serves as a blueprint for creating containers. container image cannot be changed because files including code and dependencies are required to run the container. container images are built according to specifications such as the Open Container Initiative (OCI).

A good way to start learning about containers is to work with each container on the server that acts as a host. a set of container tools you can use:

podman, which is used directly to manage containers and container images.
skopeo, which is used to check, copy, delete, and sign images.
buildah, which is used to create a new container image.

containers can be run by non-privileged users called rootless containers. rootless containers is safer but has some limitations.

Running base containers on rhel 8
To start running and managing containers on your system, you need to install the necessary command line tools like podman and skopeo with the yum command:

sudo yum module install container-tools

The container registry is a place to store and retrieve container images which are then used to run containers so the source of container images is very important.
redhat distributes certified container images through 2 main container registrars:

registry.redhat.io for containers based on official redhat products
registry.connect.redhat.com for containers based on third-party products

container images are named based on the syntax:
registry_name/user_name/image_name:tag
registry_name is the name of the register that stores the image.
user_name is the user/organization the image belongs to.
image_name is a unique user namespace
tag is the image version

To run the container on the local system, you must first pull the container image with the podman pull command

podman pull registry.access.redhat.com/ubi8/ubi:latest

use the podman image command to view locally stored images.
to run the image you can use the podman run command and use the -it option to interact with the container

podman run -it registry.access.redhat.com/ubi8/ubi:latest

use the command podman run --rm to remove it

podman run --rm registry.access.redhat.com/ubi8/ubi cat /etc/os-release

use the podman info command to display podman configuration information.
use the podman search command to search the container registrar for a specific container image and the --no-trunc option to view a longer image description.

to inspect remote container images in registry and show information you can use skopeo inspect command and to check locally stored ones use podman inspect

skopeo inspect docker://registry.redhat.io/rhel8/python-36
podman inspect registry.redhat.io/rhel8/python-36

to delete locally stored images use the podman rmi command

podman rmi registry.redhat.io/rhel8/python-36:latest

To provide network access to a container, you must connect to a port on the container host that forwards network traffic to the port on the container. You can map the container host port with the podman run command using the -p option and to run the container in separate mode (as a daemon) use the -d option.

podman run -d -p 8000:8080 registry.redhat.io/rhel8/httpd-24

To see all used port mappings with the command podman port -a and to add the container host port on the firewall use the command:

firewall-cmd --add-port=8000/tcp

You can pass the environment variables that the container uses to configure its application with the podman run command with the -e option.

podman run -d --name container_name -e MYSQL_USER=user_name -e MYSQL_PASSWORD=user_password -e MYSQL_DATABASE=database_name -⁠e MYSQL_ROOT_PASSWORD=mysql_root_password -p 3306:3306 registry.redhat.io/⁠rhel8/⁠mariadb-103:1-102

To see running containers, use the podman ps command and the -a option include stopped containers.
To stop a running container, use the podman stop command.
To remove container from host use command podman rm.
To restart a stopped container, use the podman restart command.
To send a UNIX signal to the main process in the container, use the podman kill command and the -a option to specify the signal.
To start additional processes in an already running container, use the podman exec command, options -i and -t to open an interactive session and allocate a pseudo-terminal for the shell and option -l to change the ID or name of the previous container.

Managing File System Permissions

alfiantirta85 — Sun, 25 Sep 2022 02:22:36 +0000

User Categories

Files has three categories of users for which permissions apply:

The user who created the file
A user who is in the same grub as the user
All other users

Permission Categories

File/directory have three categories of applicable permissions: read, write, and execute.

r(read) --> file can be read
w(write) --> file can be edited
x(execute) --> file can be run as command

View Permissions And Ownership

To see the permissions and ownership of files and directories can use command:

ls -l or ls -ld

Option -l --> view list with long list format.
Option -d --> view the directory listing itself.

File permission consist of nine characters after the character d(directory).

Permission for the user is determined by the first set of 3 characters
Permission for user groups are determined by the second set of 3 characters
Permission for all other users are determined by the third set of 3 characters

If the letters are replaced with -, then the category doesn't have that permission.

Change Permission

To change permission from the command line can use command:

chmod

Permission instructions can be issued by symbolic methods and numerical methods.

Symbolic Method

chmod WhoWhatWhich file/directory

Who is u(user), g(group), o(other), a(all)
What is +(add), -(remove), =(set exactly)
Which is r(read), w(write), x(execute)

option -R to change the permissions of the directory and its contents.

Numeric Method

chmod ### file/directory

Each digit represents a permission for the access level: user, group, other.
Each digit is the sum of the numbers representing the permissions.

read permission is represented by the number 4
write permission is represented by the number 2
execute permission is represented by the number 1

Change User And Group Ownership

To change the ownership of users and groups can use command:

chown

only root user can change file ownership

To change only the user, use the command:

chown usernew file1

To change only the group, use the command:

chown :groupnew file1

To change everything, use the command:

chown usernew:groupnew file1

We can use sudo privilege to use chown command.
Option -R to change the ownership of the directory and its contents.

Special Permission

Special permission is the fourth type of permission besides basic user, grub and other types. These permissions have additional access features that are allowed by the basic permission types.

1. Setuid Permission
on files containing this permission executable. however, the command that is executed becomes the user who owns the file, not as the user that executes the command.
to add this permission, can use command:

chmod u+s file1 or chmod 4### file1

2. Setgid Permission
files created in a directory containing these permissions inherit ownership of grub rather than inheriting from the user who created it. this file is executable. however, the command that is executed becomes the grub that owns the file, not as the grub that runs the command.
to add this permission, can use command:

chmod g+s file1 or chmod 2### file1

3. Sticky Permission
on directories that contain this permission, file deletion is subject to special restrictions. only file owner and root user can delete files in directory
to add this permission, can use command:

chmod o+t file1 or chmod 1### file1

Default File Permission

When you create a new file/directory it is given initial permission called umask.

If you create a new directory, the operating system will grant octal permission 0777
If you create a new file, the operating system will give permission octal 0666

Octal permission will be reduced by the umask set, usually 0002.
To see the umask that has been set, you can use the command:

umask

To replace it, you can use the command:

umask 027