Chapter 17. Containers

This chapter lists the most notable changes to containers between RHEL 8 and RHEL 9.

17.1. Notable changes to containers

Podman now supports secure short names

Short-name aliases for images can now be configured in the registries.conf file in the [aliases] table. The short-names modes are:

  • Enforcing: If no matching alias is found during the image pull, Podman prompts the user to choose one of the unqualified-search registries. If the selected image is pulled successfully, Podman automatically records a new short-name alias in the $HOME/.cache/containers/short-name-aliases.conf file (rootless user) and in the /var/cache/containers/short-name-aliases.conf (root user). If the user cannot be prompted (for example, stdin or stdout are not a TTY), Podman fails. Note that the short-name-aliases.conf file has precedence over registries.conf file if both specify the same alias. The enforcing mode is default in RHEL 9.
  • Permissive: Similar to enforcing mode, but Podman does not fail if the user cannot be prompted. Instead, Podman searches in all unqualified-search registries in the given order. Note that no alias is recorded. The enforcing mode is default in RHEL 8.

Example:

unqualified-search-registries=["registry.fedoraproject.org", “quay.io"]
[aliases]
"fedora"="registry.fedoraproject.org/fedora"

Default container image signature verification is now available

Previously, the policy YAML files for the Red Hat Container Registries had to be manually created in the /etc/containers/registries.d/ directory. Now, the registry.access.redhat.com.yaml and registry.redhat.io.yaml files are included in the containers-common package. You can now use the podman image trust command to verify the container image signatures. Image signature verification is enabled by default in RHEL 8 and RHEL 9.

Default container registries in registries.conf

You can find the list of container registries in the /etc/containers/registries.conf file as a root user and in $HOME/.config/containers/registries.conf as a non-root user. By changing the registries.conf file you can change the default system-wide search settings.

For RHEL 8, the unqualified-search-registries is:

unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]

For RHEL 9, the unqualified-search-registries is:

unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "quay.io", "docker.io"]

Default cgroup change

The cgroupV2 is enabled by default in RHEL 9. It enables you to use systemd services, container tools, delegation of cgroup hierarchies. For example, the Podman tool is now able to use cgroup in a rootless mode.

The container-tools:latest rolling stream has been updated

The container-tools:rhel8 rolling stream is now renamed to container-tools:latest. The numbers for stable streams remain the same (for example 2.0, 3.0). The container-tools:latest rolling stream, which contains the Podman, Buildah, Skopeo, and runc tools is now available. This update provides bug fixes and enhancements over the previous version.

For more information, see https://access.redhat.com/support/policy/updates/containertools.

Default OCI runtime change

The crun OCI runtime is now available for the container-tools:rhel8 module. The crun container runtime supports an annotation that enables the container to access the rootless user’s additional groups. This is useful for container operations when volume mounting in a directory where setgid is set, or where the user only has group access.

The default container runtime in RHEL 8 is runc. The default container runtime in RHEL 9 is crun.

Running RHEL 9 containers on a RHEL 7 host is not supported

Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not guaranteed.

For more information, see Red Hat Enterprise Linux Container Compatibility Matrix.