From Podman in Action by Daniel Walsh

This book, written by the leader of the Red Hat team that created Podman, teaches readers how to use Podman: a next-generation container engine that is easier to use and provides superior security over Docker and other container engines.

Read on to find out more.


What is Podman?

Podman stands for Pod Manager. Pod is a concept popularized by the Kubernetes project. A pod is one or more containers sharing the same namespaces and cgroups (resource constraints). Podman runs individual containers as well as pods.

Figure 1 Podman’s logo, a group of Selkies, Ireleand’s concept of a mermaid. Selkies are half human and half seal, and a group of them is called a pod.

The podman project describes Podman as “a daemonless container engine for developing, managing, and running OCI Containers on your Linux System. Containers can either be run as root or in rootless mode.”

Podman often is described with the simple line “alias docker=podman” because Podman does almost everything that Docker can do with the same command line as Docker. But as you learn in this book, Podman can do so much more. Understanding Docker is not critical to understanding Podman, but is helpful.

Note The Open Container Initiative (OCI) is a standards body whose primary goal is creating open industry standards around container formats and runtimes. See more at https://opencontainers.org.

The Podman upstream project resides at github.com in the containers project, (https://github.com/containers/podman) along with other container libraries and container management tools like Buildah and Skopeo reside. (See appendix A for a description of some of these tools.)

Figure 2 https://github.com/containers containers is the developer site for Podman and other related container tools.

Podman runs images with the newer OCI format, as well as the legacy Docker (V2 and V1) format images. Podman runs any image available at container registries like docker.io and quay.io as well as the hundreds of other container registries. Podman pulls these images to a Linux host and launches them in the same way as Docker and Kubernetes. Podman supports all of the OCI Runtimes like runc, crun, kata, and gvisord, just like Docker.

The genesis of this book

When I first started working on container technology 20 years ago, we did not even call them containers, we called them sandboxes. I created a tool called the SELinux sandbox which used security tools like SELinux, the mount namespace and cgroups to control desktop applications access to the home directory, back in 2008. In 2013 when Docker was exploding on the scene, I was tasked with leading a team of engineers at Red Hat to work with the upstream Docker project. As soon as I started working on Docker, I recognized what a breakthrough the technology was, but I thought there were problems with its design. I did not like a centralized daemon running as root. There are better ways to run containers by taking advantage of more core concepts of the OS and this led to the creation of Podman and other container tools.

As we designed Podman we realized that the CLI and eventually the API had to match the Docker CLI and API, and then extend the technologies to take advantage of what we had learned from running containerized workloads over the years. With my background of 40 years of computer security, I wanted to take advantage of everything the OS provided to secure the containers, and you will learn a lot of this in the book.

Throughout this book you will learn about how Podman works with the CoreOS to take advantage of all of the features of the OS used to isolate containerized applications from each other. This isolation is from a security point of view, as well as from resource constraints, and convincing the applications that they are running on a dedicated system.

Who is this book for?

This book is intended for Linux administrators to help them understand the advantages of using Podman as their primary container engine. You will learn how to configure your systems as securely as possible, but still allow your users to work with containers. One of Podman’s primary use cases is to run containerized applications on single node environments, such as edge devices. Podman along with systemd allow you to manage the entire lifecycle of the application on nodes without human intervention. Podman’s goal is to run containers naturally on a Linux box, taking advantage of all of the features of the Linux Platform.

Application developers are also an intended audience for this book. Podman is a great tool for developers looking to containerize their applications in a secure manner. Podman allows developers to create Linux containers on all Linux distributions. In addition, Podman is available on the Mac and Windows platforms where it can communicate with the Podman service running within a VM or on a Linux box available on the network. This book shows you how to work with containers, build container images, and then convert their containerized applications into either single node services to run on edge devices or into Kubernetes-based microservices.

I believe this book is useful to developers building containerized applications as well as administrators learning how to run these containerized tools, but also to engineers just looking to learn about containers.

If you want to learn more about the book, check it out here.