Podman v.s. Docker <!-- ## Open Container Initiative (OCI) * 關於 container 的一種規範 * 支援的指令: * Query State * Create * Start * Delete * Kill * Hooks --> ## Docker vs. Posman  ## How rootless Work limitation: https://linuxhandbook.com/rootless-podman/ * Uses a user namespace to map between **the user IDs in the container** and **the user IDs on your host**. ``` sunny-liao@sg-redis-08:~$ cat /etc/subuid sunny-liao:100000:65537 ``` ``` sunny-liao@sg-redis-08:~$ cat /proc/857762/uid_map 0 10428 1 1 100000 65537 # 857762 是 container running 的 pid ``` Case A: container 內 bidderx (UID=1000) 這個 user 啟動 http.server Case B: container 內 root 啟動 http.server 在 host 會看到: Case A: http.server run by uid=100999 Case B: http.server run by uid=10428 因為 /etc/subuid 中有: sunny-liao:100000:65537，所以 Case A and Case B 兩個 http.server 的權限都一樣 Key Note: uid/gid_map and subuid/gid ## Registries /etc/containers/registries.conf: unqualified-search-registries 可以設定要從哪裡抓 image，但官方建議是在 pull 的時候就直接加上 registry server (e.g. docker.io/ubuntu) Note: 所以如果要改用 podman, 建議把 docker file 都改成 From docker.io/.... ## File system * overlay * fuse-overlayfs ## pod install: catatonit 一個 pod 中可以有多個 containers, 在同一個 pod 中的 container 彼此之間會共享相同的網路 ``` podman pod create podman run--pod ${pod_name} ``` stop pod 會將 pod 中全部的 container 一起 stop, 相對的 start 也會一起 start ## network rootful container: containernetworking-plugins rootless container: slirp4netns * when you use rootless container, install slirp4netns is need when you want to bind the port. sunny-liao@sg-redis-08:~/bidderx/docker/v1$ podman run --rm -it -p 1500:8000 bfabf17f71e4 Error: could not find slirp4netns, the network namespace can't be configured: exec: "slirp4netns": executable file not found in $PATH host ---curl---> **rootless** container forwarding port ``` Summary: Total: 3.4912 secs Slowest: 3.4532 secs Fastest: 0.0015 secs Average: 0.0942 secs Requests/sec: 286.4318 Total data: 942000 bytes Size/request: 942 bytes ``` host ---curl---> **rootful** container forwarding port ``` Summary: Total: 4.4144 secs Slowest: 4.3570 secs Fastest: 0.0011 secs Average: 0.0818 secs Requests/sec: 226.5292 Total data: 942000 bytes Size/request: 942 bytes ``` rootless container 關於網路的限制: * 不能 bind 1024 以下的 port 給 containers: * unable to ping any host: * 官方文件有提到workaround: https://github.com/containers/podman/blob/main/troubleshooting.md?ref=linux-handbook#solution-3 ，但我照著做沒有解決此問題 (做的過程中會遇到 permission error) <!-- ## Runc ## Buildah sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 sunny-liao buildah with arg: --layers -> use cache need install fuse-overlayfs -> 不然 buildah 會只能用root container的位子: /var/lib/containers, /var/lib/docker --> <!-- https://www.redhat.com/sysadmin/container-networking-podman --> <!-- /usr/share/container/container.conf -->