Chapter 1. Starting with containers

Linux Containers have emerged as a key open source application packaging and delivery technology, combining lightweight application isolation with the flexibility of image-based deployment methods.

Red Hat Enterprise Linux implements Linux Containers using core technologies such as Control Groups (Cgroups) for Resource Management, Namespaces for Process Isolation, SELinux for Security, enabling secure multi-tenancy and reducing the potential for security exploits. All this is meant to provide you with an environment to producing and running enterprise-quality containers.

Red Hat OpenShift provides powerful command-line and Web UI tools for building, managing and running containers in units referred to as pods. However, there are times when you might want to build and manage individual containers and container images outside of OpenShift. Tools provided to perform those tasks that run directly on RHEL systems are described in this guide.

Unlike other container tools implementations, tools described here do not center around the monolithic Docker container engine and docker command. Instead, we provide a set of command-line tools that can operate without a container engine. These include:

  • podman - For directly managing pods and container images (run, stop, start, ps, attach, exec, and so on)
  • buildah - For building, pushing and signing container images
  • skopeo - For copying, inspecting, deleting, and signing images
  • runc - For providing container run and build features to podman and buildah

Because these tools are compatible with the Open Container Initiative (OCI), they can be used to manage the same Linux containers that are produced and managed by Docker and other OCI-compatible container engines. However, they are especially suited to run directly on Red Hat Enterprise Linux, in single-node use cases.

For a multi-node container platform, see OpenShift. Instead of relying on the single-node, daemonless tools described in this document, OpenShift requires a daemon-based container engine. Please see Using the CRI-O Container Engine for details.

1.1. Running containers without Docker

Red Hat did not just remove the Docker container engine from OpenShift. It also removed the Docker container engine, along with the docker command, from Red Hat Enterprise Linux 8 entirely. For RHEL 8, Docker is not included and not supported.

The removal of Docker reflects a change in Red Hat’s way of thinking about how containers are handled:

  • In the enterprise, the focus is not on running individual containers from the command line. The primary venue for running containers is a Kubernetes-based platform, such as OpenShift.
  • By repositioning OpenShift as the project for running containers, container engines like Docker become just another component of OpenShift with no direct access by end users.
  • Because the container engine in OpenShift is not meant to be used directly, it can be implemented with a limited feature set that focuses on doing everything that OpenShift needs, without having to implement lots of standalone features.

Although Docker is gone from RHEL 8, and OpenShift’s container engine is disconnected from single-node uses, people still want to use commands to work with containers and images manually. So Red Hat set about to create a set of tools to implement most of what the docker command does.

Tools like podman, skopeo, and buildah were developed to take over those docker command features. Each tool in this scenario can be more light-weight and focused on a subset of features. And with no need for a daemon process running to implement a container engine, these tools can run without the overhead of having to work with a daemon process.

If you feel that you still want to use Docker in RHEL 8, know that you can get Docker from different upstream projects, but that its use is unsupported in RHEL 8. Because so many docker command-line features have been implemented exactly in podman, you can set up an alias so that typing docker causes podman to run.

Installing the podman-docker package sets up such an alias. So every time you run a docker command line, it actually runs podman for you. More on this package later.

1.2. Choosing a RHEL architecture for containers

Red Hat provides container images and container-related software for the following computer architectures:

  • AMD64 and Intel 64 (base and layered images) (no support for the 32-bit AMD and Intel architecture)
  • PowerPC 8 64-bit (base image and most layered images)
  • PowerPC 9 64-bit (base image and most layered images)
  • IBM Z (base image and most layered images)
  • ARM 64-bit (base image only)

The following table lists container images that are available for different architectures for RHEL 8.

Table 1.1. Red Hat container images and supported architectures

Image name

X86_64

PowerPC 8 & 9

s390x

ARM 64

ubi8/rhel

Yes

Yes

Yes

No

ubi8/rhel-minimal

Yes

Yes

Yes

No

ubi8/rhel-init

Yes

Yes

Yes

No

ubi8/rsyslog

Yes

Yes

Yes

No

ubi8/support-tools

Yes

Yes

Yes

Yes

ubi8/net-snmp

Yes

Yes

Yes

No

ubi8/ubi8-aarch64

No

No

No

Yes

1.3. Getting container tools

To get an environment where you can manipulate individual containers, you can install a Red Hat Enterprise Linux 8 system, then add a set of container tools to find, run, build and share containers. Here are examples of container-related tools you can install with RHEL 8:

  • podman - Client tool for managing containers. Can replace most features of the docker command for working with individual containers and images.
  • buildah - Client tool for building OCI-compliant container images.
  • skopeo - Client tool for copying container images to and from container registries. Includes features for signing and authenticating images as well.
  • runc - Container runtime client for running and working with Open Container Initiative (OCI) format containers.

Using the RHEL subscription model, if you want to create container images, you must properly register and entitle the host computer on which you build them. When you install packages, as part of the process of building a container, the build process automatically has access to entitlements available from the RHEL host. So it can get RPM packages from any repository enabled on that host.

  1. Install RHEL: If you are ready to begin, you can start by installing a Red Hat Enterprise Linux system.
  2. Register RHEL: Once RHEL is installed, register the system. You will be prompted to enter your user name and password. Note that the user name and password are the same as your login credentials for Red Hat Customer Portal.

    # subscription-manager register
    Registering to: subscription.rhsm.redhat.com:443/subscription
    Username: ********
    Password: **********
  3. Subscribe RHEL: Either auto subscribe or determine the pool ID of a subscription that includes Red Hat Enterprise Linux. Here is an example of auto-attaching a subscription:

    # subscription-manager attach --auto
  4. Install packages: To start building and working with individual containers, install the container-tools module, which pulls in the full set of container software packages:

    # yum module install -y container-tools
  5. Install podman-docker (optional): If you are comfortable with the docker command or use scripts that call docker directly, you can install the podman-docker package. That package installs a link that replaces the docker command-line interface with the matching podman commands instead. It also links the man pages together, so man docker info will show the podman info man page.

    # yum install -y podman-docker

1.4. Enabling container settings

No container engine (such as Docker or CRI-O) is required for you to run containers on your local system. However, configuration settings in the /etc/containers/registries.conf file let you define access to container registries when you work with container tools such as podman and buildah.

Here are example settings in the /etc/containers/registries.conf file:

[registries.search]
registries = ['registry.redhat.io', 'quay.io', 'docker.io']

[registries.insecure]
registries = []

[registries.block]
registries = []

By default, when you use podman search to search for images from a container registries, based on the registries.conf file, podman looks for the requested image in registry.redhat.io, quay.io, and docker.io, in that order.

To add access to a registry that doesn’t require authentication (an insecure registry), you must add the name of that registry under the [registries.insecure] section. Any registries that you want to disallow from access from your local system need to be added under the [registries.block] section.