Podman in Action: Secure, rootless containers for Kubernetes, microservices, and more
- Length: 312 pages
- Edition: 1
- Language: English
- Publisher: Manning
- Publication Date: 2023-02-07
- ISBN-10: 1633439682
- ISBN-13: 9781633439689
- Sales Rank: #1770117 (See Top 100 Books)
Discover Podman, a next-generation container engine that manages containers rootlessly and provides extra layers of exceptional security unavailable in Docker and other container platforms.
Podman in Action teaches you how to develop and manage rootless containers using Podman. You’ll quickly get to grips with Podman’s unique advantages over Docker, and learn how easy it is to migrate your Docker-based infrastructure.
Every chapter of Podman in Action includes easy-to-follow examples, including steps to deploy a complete containerized web service. You’ll learn the power and security of the user namespace, how to install and run Podman on MacOS and Windows, and dive into key security concepts like SELinux and SECCOMP.
Podman in Action brief contents contents preface acknowledgments about this book Who should read this book? How this book is organized: A roadmap liveBook discussion forum Author online about the author about the cover illustration Part 1—Foundations 1 Podman: A next-generation container engine 1.1 About all these terms 1.2 A brief overview of containers 1.2.1 Container images: A new way to ship software 1.2.2 Container images lead to microservices 1.2.3 Container image format 1.2.4 Container standards 1.3 Why use Podman when you have Docker? 1.3.1 Why have only one way to run containers? 1.3.2 Rootless containers 1.3.3 Fork/exec model 1.3.4 Podman is daemonless 1.3.5 User-friendly command line 1.3.6 Support for REST API 1.3.7 Integration with systemd 1.3.8 Pods 1.3.9 Customizable registries 1.3.10 Multiple transports 1.3.11 Complete customizability 1.3.12 User-namespace support 1.4 When not to use Podman Summary 2 Command line 2.1 Working with containers 2.1.1 Exploring containers 2.1.2 Running the containerized application 2.1.3 Stopping containers 2.1.4 Starting containers 2.1.5 Listing containers 2.1.6 Inspecting containers 2.1.7 Removing containers 2.1.8 exec-ing into a container 2.1.9 Creating an image from a container 2.2 Working with container images 2.2.1 Differences between a container and an image 2.2.2 Listing images 2.2.3 Inspecting images 2.2.4 Pushing images 2.2.5 podman login: Logging into a container registry 2.2.6 Tagging images 2.2.7 Removing images 2.2.8 Pulling images 2.2.9 Searching for images 2.2.10 Mounting images 2.3 Building images 2.3.1 Format of a Containerfile or Dockerfile 2.3.2 Automating the building of our application Summary 3 Volumes 3.1 Using volumes with containers 3.1.1 Named volumes 3.1.2 Volume mount options 3.1.3 podman run - -mount command option Summary 4 Pods 4.1 Running pods 4.2 Creating a pod 4.3 Adding a container to a pod 4.4 Starting a pod 4.5 Stopping a pod 4.6 Listing pods 4.7 Removing pods Summary Part 2—Design 5 Customization and configuration files 5.1 Configuration files for storage 5.1.1 Storage location 5.1.2 Storage drivers 5.2 Configuration files for registries 5.2.1 registries.conf 5.3 Configuration files for engines 5.4 System configuration files Summary 6 Rootless containers 6.1 How does rootless Podman work? 6.1.1 Images contain content owned by multiple user identifiers (UIDs) 6.2 Rootless Podman under the covers 6.2.1 Pulling the image 6.2.2 Creating a container 6.2.3 Setting up the network 6.2.4 Starting the container monitor: conmon 6.2.5 Launching the OCI runtime 6.2.6 The containerized application runs until completion Summary Part 3—Advanced topics 7 Integration with systemd 7.1 Running systemd within a container 7.1.1 Containerized systemd requirements 7.1.2 Podman container in systemd mode 7.1.3 Running an Apache service within a systemd container 7.2 Journald for logging and events 7.2.1 Log driver 7.2.2 Events 7.3 Starting containers at boot 7.3.1 Restarting containers 7.3.2 Podman containers as systemd services 7.3.3 Distributing systemd unit files to manage Podman containers 7.3.4 Automatically updating Podman containers 7.4 Running containers in notify unit files 7.5 Rolling back failed containers after update 7.6 Socket-activated Podman containers Summary 8 Working with Kubernetes 8.1 Kubernetes YAML files 8.2 Generating Kubernetes YAML files with Podman 8.3 Generating Podman pods and containers from Kubernetes YAML 8.3.1 Shutting down pods and containers based on a Kubernetes YAML file 8.3.2 Building images using Podman and Kubernetes YAML files 8.4 Running Podman within a container 8.4.1 Running Podman within a Podman container 8.4.2 Running Podman within a Kubernetes pod Summary 9 Podman as a service 9.1 Introducing the Podman service 9.1.1 Systemd services 9.2 Podman-supported APIs 9.3 Python libraries for interacting with Podman 9.3.1 Using docker-py with the Podman API 9.3.2 Using podman-py with the Podman API 9.3.3 Which Python library should you use? 9.4 Using docker-compose with the Podman service 9.5 podman - -remote 9.5.1 Local connections 9.5.2 Remote connections 9.5.3 Setting up SSH on the client machine 9.5.4 Configuring a connection Summary Part 4—Container security 10 Security container isolation 10.1 Read-only Linux kernel pseudo filesystems 10.1.1 Unmasking the masked paths 10.1.2 Masking additional paths 10.2 Linux capabilities 10.2.1 Dropped Linux capabilities 10.2.2 Dropped CAP_SYS_ADMIN 10.2.3 Dropping capabilities 10.2.4 Adding capabilities 10.2.5 No new privileges 10.2.6 Root with no capabilities is still dangerous 10.3 UID isolation: User namespace 10.3.1 Isolating containers using the - -userns=auto flag 10.3.2 User-namespaced Linux capabilities 10.3.3 Rootless Podman with the - -userns=auto flag 10.3.4 User volumes with the - -userns=auto flag 10.4 Process isolation: PID namespace 10.5 Network isolation: Network namespace 10.6 IPC isolation: IPC namespace 10.7 Filesystem isolation: Mount namespace 10.8 Filesystem isolation: SELinux 10.8.1 SELinux type enforcement 10.8.2 SELinux Multi-Category Security separation 10.9 System call isolation seccomp 10.10 Virtual machine isolation Summary 11 Additional security considerations 11.1 Daemon versus the fork/exec model 11.1.1 Access to the docker.sock 11.1.2 Auditing and logging 11.2 Podman secret handling 11.3 Podman image trust 11.3.1 Podman image signing 11.4 Podman image scanning 11.4.1 Read-only containers 11.5 Security in depth 11.5.1 Podman uses all security mechanisms simultaneously 11.5.2 Where should you run your containers? Summary Appendix A—Podman-related container tools A.1 Skopeo A.2 Buildah A.2.1 Creating a working container from a base image A.2.2 Adding data to a working container A.2.3 Running commands in a working container A.2.4 Adding content to a working container directly from the host A.2.5 Configuring a working container A.2.6 Creating an image from a working container A.2.7 Pushing an image to a container registry A.2.8 Building an image from Containerfiles A.2.9 Buildah as a library A.3 CRI-O: Container Runtime Interface for OCI containers Appendix B—OCI runtimes B.1 runc B.2 crun B.3 Kata B.4 gVisor Appendix C—Getting Podman C.1 Installing Podman C.1.1 macOS C.1.2 Windows C.1.3 Arch Linux and Manjaro Linux C.1.4 CentOS C.1.5 Debian C.1.6 Fedora C.1.7 Fedora-CoreOS, Fedora Silverblue C.1.8 Gentoo C.1.9 OpenEmbedded C.1.10 openSUSE C.1.11 openSUSE Kubic C.1.12 Raspberry Pi OS arm64 C.1.13 Red Hat Enterprise Linux C.1.14 Ubuntu C.2 Building from source code C.3 Podman Desktop Summary Appendix D—Contributing to Podman D.1 Joining the community D.2 Podman on github.com Appendix E—Podman on macOS E.1 Using podman machine E.1.1 podman machine init E.1.2 Podman machine SSH configuration E.1.3 Starting the VM E.1.4 Stopping the VM Summary Appendix F—Podman on Windows F.1 First steps F.1.1 Prerequisites F.1.2 Installing Podman F.2 Using podman machine F.2.1 podman machine init F.2.2 Podman machine SSH configuration F.2.3 Starting the WSL 2 instance F.2.4 Using podman machine commands Summary index A B C D E F G H I J K L M N O P Q R S T U V W Y Z
Donate to keep this site alive
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.