Chapter 17. Containers
This chapter lists the most notable changes to containers between RHEL 8 and RHEL 9.
17.1. Notable changes to containers
Podman now supports secure short names
Short-name aliases for images can now be configured in the
registries.conf file in the
[aliases] table. The short-names modes are:
Enforcing: If no matching alias is found during the image pull, Podman prompts the user to choose one of the unqualified-search registries. If the selected image is pulled successfully, Podman automatically records a new short-name alias in the
$HOME/.cache/containers/short-name-aliases.conffile (rootless user) and in the
/var/cache/containers/short-name-aliases.conf(root user). If the user cannot be prompted (for example, stdin or stdout are not a TTY), Podman fails. Note that the
short-name-aliases.conffile has precedence over
registries.conffile if both specify the same alias. The enforcing mode is default in RHEL 9.
- Permissive: Similar to enforcing mode, but Podman does not fail if the user cannot be prompted. Instead, Podman searches in all unqualified-search registries in the given order. Note that no alias is recorded. The enforcing mode is default in RHEL 8.
unqualified-search-registries=["registry.fedoraproject.org", “quay.io"] [aliases] "fedora"="registry.fedoraproject.org/fedora"
Default container image signature verification is now available
Previously, the policy YAML files for the Red Hat Container Registries had to be manually created in the
/etc/containers/registries.d/ directory. Now, the
registry.redhat.io.yaml files are included in the
containers-common package. You can now use the
podman image trust command to verify the container image signatures. Image signature verification is enabled by default in RHEL 8 and RHEL 9.
Default container registries in
You can find the list of container registries in the
/etc/containers/registries.conf file as a root user and in
$HOME/.config/containers/registries.conf as a non-root user. By changing the
registries.conf file you can change the default system-wide search settings.
For RHEL 8, the
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]
For RHEL 9, the
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "quay.io", "docker.io"]
Default cgroup change
The cgroupV2 is enabled by default in RHEL 9. It enables you to use systemd services, container tools, delegation of cgroup hierarchies. For example, the Podman tool is now able to use cgroup in a rootless mode.
container-tools:latest rolling stream has been updated
container-tools:rhel8 rolling stream is now renamed to
container-tools:latest. The numbers for stable streams remain the same (for example 2.0, 3.0). The
container-tools:latest rolling stream, which contains the Podman, Buildah, Skopeo, and runc tools is now available. This update provides bug fixes and enhancements over the previous version.
For more information, see https://access.redhat.com/support/policy/updates/containertools.
Default OCI runtime change
crun OCI runtime is now available for the
container-tools:rhel8 module. The
crun container runtime supports an annotation that enables the container to access the rootless user’s additional groups. This is useful for container operations when volume mounting in a directory where setgid is set, or where the user only has group access.
The default container runtime in RHEL 8 is
runc. The default container runtime in RHEL 9 is
Running RHEL 9 containers on a RHEL 7 host is not supported
Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not guaranteed.
For more information, see Red Hat Enterprise Linux Container Compatibility Matrix.