Subscribe to the feed

The update of Container Tools in RHEL 8.4 brings a lot of great new features. In this post we'll look at major new features and additions to Podman, UBI, automatic image updates and much more.

This is a major update since RHEL 8.3 (Updates to Container Tools in Red Hat Enterprise Linux 8.3) and if you have been looking to move from Docker on RHEL 7 to Podman on RHEL 8, this is a great time to look at doing an upgrade.

Red Hat named a Leader in the 2024 Gartner® Magic Quadrant™ for second consecutive year

Red Hat was named a Leader in the Gartner 2024 Magic Quadrant for Container Management. This year, Red Hat was positioned furthest on the Completeness of Vision axis.

Here’s a quick summary of what’s new in RHEL 8.4:

  • New fast and stable streams with Podman 3.0

  • UBI Micro

  • Automatic Image Updates

  • Secure Short Names

  • Podman Volume Support

  • Overlay Volume Mounts

  • Technology Preview of The crun Container Runtime

New fast and stable streams with Podman 3.0

In RHEL 8, we provide two main types of application streams for the container tools: one fast, one stable for 24 months. You can easily see the versions of Podman, Buildah and Skopeo with a single command:

yum module list | grep container-tools

Output:

container-tools      rhel8 [d]       common [d]                               Most recent (rolling) versions of podman, buildah, skopeo, runc, conmon, runc, conmon, CRIU, Udica, etc as well as dependencies such as container-selinux built and tested together, and updated as frequently as every 12 weeks.
container-tools      1.0             common [d]                               Stable versions of podman 1.0, buildah 1.5, skopeo 0.1, runc, conmon, CRIU, Udica, etc as well as dependencies such as container-selinux built and tested together, and supported for 24 months.                                 
container-tools      2.0             common [d]                               Stable versions of podman 1.6, buildah 1.11, skopeo 0.1, runc, conmon, etc as well as dependencies such as container-selinux built and tested together, and supported as documented on the Application Stream lifecycle page.    
container-tools      3.0             common [d]                               Stable versions of podman 3.0, buildah 1.19, skopeo 1.2, runc, conmon, etc as well as dependencies such as container-selinux built and tested together, and supported as documented on the Application Stream lifecycle page.

As you can see in the output, the latest fast and stable streams provide Podman 3.0, Buildah 1.19, and Skopeo 1.2. In particular Podman 3.0 brings with it a lot of exciting new features that give users access to a Docker-compatible socket. Many new API endpoints have been implemented which enables a lot of legacy software to function using Podman. Many upstream tools like kind, minikube, syft, and grype have had success using the Docker compatible endpoint in Podman. If you’re interested in this use case, check out the Container Tools Application Streams in RHEL 8.4.

As a reminder, and per the Application Streams Life Cycle page, with the launch of our latest Container Tools fast and stable streams, the Container Tools 1.0 stream moves out of support. If you need active support, please move to the 2.0 or 3.0 stable streams.

UBI Micro

This is a long awaited feature which brings RHEL-based tiny container images to the world. The popularity of tiny images has exploded over the last couple of years, but the world has lacked a tiny container image that fits into the existing software ecosystem. 

UBI Micro leverages the advantages of a “distroless” image, because it has no package manager (YUM/RPM), but it’s still constructed from RHEL packages. This gives it the best characteristics of a distroless image, and traditional container image merged into one.

You might be asking yourself, how do I add packages to UBI if there’s no package manager? Don't worry, it's not hard. 

To add packages to UBI Micro, you use Buildah on the container host. Let’s demonstrate how to build on the UBI Micro image using Buidlah. The following commands will pull the image, mount it, install Apache HTTP and commit the image in the local container/storage cache:

microcontainer=$(buildah from registry.access.redhat.com/ubi8/ubi-micro)
micromount=$(buildah mount $microcontainer)
yum install \
    --installroot $micromount \
    --releasever 8 \
    --setopt install_weak_deps=false \
    --nodocs -y
    httpd
yum clean all \
    --installroot $micromount
buildah umount $microcontainer
buildah commit $microcontainer ubi-micro-httpd

Now, check out how big it is:

podman images | grep ubi-micro-httpd

Output:

localhost/ubi-micro-httpd                                     latest                                                       7c557e7fbe9f  22 minutes ago  151 MB

Automatic image updates

The Podman auto-update feature is now considered Generally Available in RHEL 8.4. This feature is quite useful in conjunction with RHEL for Edge Computing or anywhere a sysadmin or architect wants to control updates from a registry server. 

This feature is quite simple to use:

  1. Run a container using a container image for which you control the updates

  2. Use podman to generate a systemd unit file

  3. Install the systemd unit file and start the service

  4. Trigger updates with the podman auto-update command or by using systemd timers

One can easily imagine how this can be used to control updates of a large estate of edge servers. The sysadmin could update the image in the registry, and thousands of nodes could pick up changes based on a systemd timer. If the sysadmin needs to roll back, they could roll back the image in the registry and mass ssh out to each node with a podman auto-update command. 

For more information, see the RHEL Building, running, and managing containers guide. The upstream documentation is also great, and there’s a really nice blog post called Improved systemd integration with Podman 2.0 as well.

Secure short names

This new feature, pulling images with Podman by using short names, includes more security, greater convenience, and is another step forward for container management. Everyone that’s ever used Docker or Podman has used a short name. It’s very convenient to type something like:

podman run -it ubi

But, what happens if some hacker has put a repository up on docker.io or quay.io with the name ubi? Well, it creates risk. If the search order in your registries.conf file is wrong, you could pull an image from the hacker instead of from Red Hat. Until now.

With this feature added in RHEL 8.4, a pre-populated list of secure mappings is provided so for example when a user uses podman to pull the ubi image, the user gets the image from registry.access.redhat.com/ubi8/ubi. You may ask yourself, but what happens if the short name mapping isn’t in the list? Well, if there’s no mapping, podman is smart enough to prompt the user and ask what to do.

Note, if you are using short names in your scripts, you really should change them to full URLs. In RHEL 8, we’ve defaulted to falling back to insecure mode if podman detects it’s running without a shell. This means your scripts won’t start failing when you upgrade podman. But, we plan to change this to enforcing mode at some point in the future. 

For more information, see the RHEL Building, running, and managing containers guide. Also, check out this great post by Valentin Rothberg: Container image short names in Podman.

Podman volume plugin support

Podman volume plugin support makes it easier for RHEL customers to leverage existing storage plugins from third party vendors like Veritas and PortWorx. If your production workloads on RHEL 7 require these plugins, you can now bring these workloads to RHEL 8 with Podman. The new Podman volume plugin framework adheres to version 1.13 of the Docker plugin framework so existing plugins should just work. This is another step toward making it easier to move from Docker to Podman.

For specific instructions on how to install third party volume plugins, please refer to the vendor’s website. For more information about how to configure Podman to use these plugins, please see the man pages (podman-volume-create and containers.conf).

Overlay volume mounts

Overlay mounts are a cool little feature which is unique to Podman. Overlay mounts can be used to speed up the build process by 200% or more. With overlay mounts container builds can more safely and easily share a local YUM/DNF cache on the host. This strategy is particularly effective when combined with UBI running on a RHEL host. RHEL provides updates for many years, which is great for security, but also generates a lot of metadata over time as patches are released.

Let’s show a quick example of how you can speed up builds. Run this to build a cache and save all of the packages locally:

mkdir ~/ubi7
podman run -v ~/ubi7:/var/cache/yum:z -ti ubi7 yum update -y --setopt=keepcache=1

Output: 

...
Transaction Summary
===============================================================================================================================
Install  38 Packages
Upgrade  27 Packages
...
Complete!

real 1m44.247s
user 0m0.339s
sys 0m0.336s

Now, test the speed up using overlay mounts. This will simulate a build from within a Dockerfile/Containerfile:

time podman run -v ~/ubi7:/var/cache/yum:O yum update -y -C

Output:

Complete!

real 0m45.064s
user 0m0.283s
sys 0m0.339s

We were able to speed a build up by 230% driving the time down from 104 seconds to 45 seconds. As RHEL 8 ages, and there are more packages available, the time and storage resource savings will be even more.

For more information, check out this post by Dan Walsh: Speed up container builds with overlay mounts and the man page (podman-run --volume).

Technology Preview of the crun container runtime

 

2021 Containers-pattern-Blog-thumbnail.png

As we look forward to RHEL 9, we are focusing on how best to support more refined resource allocation (CPU, RAM, Disk, Network, etc) with cgroupsv2. We continue to make crun available as a Technology Preview with the intent to make it generally available and enable rock solid support for cgroupsv2 in a future version of RHEL 8 as well as RHEL 9.

We plan to continue to fully support runc in future versions of RHEL 8 as well as RHEL 9. Finally, runc will remain the default for the life of RHEL 8. We plan to introduce crun as an optional container runtime in a future version of RHEL 8 to support elegant new features while still maintaining complete compatibility with OCI standards. 

Final notes

With the release of RHEL 8.4, we continued testing the Podman container image and getting feedback from users. We continue to improve the user experience for this container image and continue to make it available as a Technology Preview. 

Podman historically shared the same pause image as upstream Kubernetes. While this is a perfectly fine image, it didn’t meet some stringent security requirements. To solve this, we’ve built a dedicated pause container from RHEL 8 and Red Hat Universal Base Image. We’ve also configured Podman to use this new image when run on a RHEL 8 host. 

This covers all of the major new features in the containers subsystem of RHEL 8.4. Stay tuned to the Red Hat Blog for more updates on RHEL containers.


About the author

At Red Hat, Scott McCarty is Senior Principal Product Manager for RHEL Server, arguably the largest open source software business in the world. Focus areas include cloud, containers, workload expansion, and automation. Working closely with customers, partners, engineering teams, sales, marketing, other product teams, and even in the community, he combines personal experience with customer and partner feedback to enhance and tailor strategic capabilities in Red Hat Enterprise Linux.

McCarty is a social media start-up veteran, an e-commerce old timer, and a weathered government research technologist, with experience across a variety of companies and organizations, from seven person startups to 20,000 employee technology companies. This has culminated in a unique perspective on open source software development, delivery, and maintenance.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

Browse by channel

automation icon

Automation

The latest on IT automation for tech, teams, and environments

AI icon

Artificial intelligence

Updates on the platforms that free customers to run AI workloads anywhere

open hybrid cloud icon

Open hybrid cloud

Explore how we build a more flexible future with hybrid cloud

security icon

Security

The latest on how we reduce risks across environments and technologies

edge icon

Edge computing

Updates on the platforms that simplify operations at the edge

Infrastructure icon

Infrastructure

The latest on the world’s leading enterprise Linux platform

application development icon

Applications

Inside our solutions to the toughest application challenges

Original series icon

Original shows

Entertaining stories from the makers and leaders in enterprise tech