In this post:
A look at Podman 3.0 and the fast and the stable application streams for Red Hat Enterprise Linux (RHEL).
Discussion of features like secure short names and automatic image updates.
Plans for the
crun container runtime in RHEL 8 and future versions of RHEL.
The update of Container Tools in RHEL 8.4 brings a lot of great new features. In this post we'll look at major new features and additions to Podman, UBI, automatic image updates and much more.
This is a major update since RHEL 8.3 (Updates to Container Tools in Red Hat Enterprise Linux 8.3) and if you have been looking to move from Docker on RHEL 7 to Podman on RHEL 8, this is a great time to look at doing an upgrade.
Here’s a quick summary of what’s new in RHEL 8.4:
New fast and stable streams with Podman 3.0
In RHEL 8, we provide two main types of application streams for the container tools: one fast, one stable for 24 months. You can easily see the versions of Podman, Buildah and Skopeo with a single command:
yum module list | grep container-tools
container-tools rhel8 [d] common [d] Most recent (rolling) versions of podman, buildah, skopeo, runc, conmon, runc, conmon, CRIU, Udica, etc as well as dependencies such as container-selinux built and tested together, and updated as frequently as every 12 weeks.
container-tools 1.0 common [d] Stable versions of podman 1.0, buildah 1.5, skopeo 0.1, runc, conmon, CRIU, Udica, etc as well as dependencies such as container-selinux built and tested together, and supported for 24 months.
container-tools 2.0 common [d] Stable versions of podman 1.6, buildah 1.11, skopeo 0.1, runc, conmon, etc as well as dependencies such as container-selinux built and tested together, and supported as documented on the Application Stream lifecycle page.
container-tools 3.0 common [d] Stable versions of podman 3.0, buildah 1.19, skopeo 1.2, runc, conmon, etc as well as dependencies such as container-selinux built and tested together, and supported as documented on the Application Stream lifecycle page.
As you can see in the output, the latest fast and stable streams provide Podman 3.0, Buildah 1.19, and Skopeo 1.2. In particular Podman 3.0 brings with it a lot of exciting new features that give users access to a Docker-compatible socket. Many new API endpoints have been implemented which enables a lot of legacy software to function using Podman. Many upstream tools like kind, minikube, syft, and grype have had success using the Docker compatible endpoint in Podman. If you’re interested in this use case, check out the Container Tools Application Streams in RHEL 8.4.
As a reminder, and per the Application Streams Life Cycle page, with the launch of our latest Container Tools fast and stable streams, the Container Tools 1.0 stream moves out of support. If you need active support, please move to the 2.0 or 3.0 stable streams.
This is a long awaited feature which brings RHEL-based tiny container images to the world. The popularity of tiny images has exploded over the last couple of years, but the world has lacked a tiny container image that fits into the existing software ecosystem.
UBI Micro leverages the advantages of a “distroless” image, because it has no package manager (YUM/RPM), but it’s still constructed from RHEL packages. This gives it the best characteristics of a distroless image, and traditional container image merged into one.
You might be asking yourself, how do I add packages to UBI if there’s no package manager? Don't worry, it's not hard.
To add packages to UBI Micro, you use Buildah on the container host. Let’s demonstrate how to build on the UBI Micro image using Buidlah. The following commands will pull the image, mount it, install Apache HTTP and commit the image in the local container/storage cache:
microcontainer=$(buildah from registry.access.redhat.com/ubi8/ubi-micro)
micromount=$(buildah mount $microcontainer)
yum install \
--installroot $micromount \
--releasever 8 \
--setopt install_weak_deps=false \
yum clean all \
buildah umount $microcontainer
buildah commit $microcontainer ubi-micro-httpd
Now, check out how big it is:
podman images | grep ubi-micro-httpd
localhost/ubi-micro-httpd latest 7c557e7fbe9f 22 minutes ago 151 MB
Automatic image updates
The Podman auto-update feature is now considered Generally Available in RHEL 8.4. This feature is quite useful in conjunction with RHEL for Edge Computing or anywhere a sysadmin or architect wants to control updates from a registry server.
This feature is quite simple to use:
Run a container using a container image for which you control the updates
Use podman to generate a systemd unit file
Install the systemd unit file and start the service
Trigger updates with the
podman auto-update command or by using systemd timers
One can easily imagine how this can be used to control updates of a large estate of edge servers. The sysadmin could update the image in the registry, and thousands of nodes could pick up changes based on a systemd timer. If the sysadmin needs to roll back, they could roll back the image in the registry and mass ssh out to each node with a
podman auto-update command.
For more information, see the RHEL Building, running, and managing containers guide. The upstream documentation is also great, and there’s a really nice blog post called Improved systemd integration with Podman 2.0 as well.
Secure short names
This new feature, pulling images with Podman by using short names, includes more security, greater convenience, and is another step forward for container management. Everyone that’s ever used Docker or Podman has used a short name. It’s very convenient to type something like:
podman run -it ubi
But, what happens if some hacker has put a repository up on docker.io or quay.io with the name ubi? Well, it creates risk. If the search order in your registries.conf file is wrong, you could pull an image from the hacker instead of from Red Hat. Until now.
With this feature added in RHEL 8.4, a pre-populated list of secure mappings is provided so for example when a user uses podman to pull the ubi image, the user gets the image from registry.access.redhat.com/ubi8/ubi. You may ask yourself, but what happens if the short name mapping isn’t in the list? Well, if there’s no mapping, podman is smart enough to prompt the user and ask what to do.
Note, if you are using short names in your scripts, you really should change them to full URLs. In RHEL 8, we’ve defaulted to falling back to insecure mode if podman detects it’s running without a shell. This means your scripts won’t start failing when you upgrade podman. But, we plan to change this to enforcing mode at some point in the future.
For more information, see the RHEL Building, running, and managing containers guide. Also, check out this great post by Valentin Rothberg: Container image short names in Podman.
Podman volume plugin support
Podman volume plugin support makes it easier for RHEL customers to leverage existing storage plugins from third party vendors like Veritas and PortWorx. If your production workloads on RHEL 7 require these plugins, you can now bring these workloads to RHEL 8 with Podman. The new Podman volume plugin framework adheres to version 1.13 of the Docker plugin framework so existing plugins should just work. This is another step toward making it easier to move from Docker to Podman.
For specific instructions on how to install third party volume plugins, please refer to the vendor’s website. For more information about how to configure Podman to use these plugins, please see the man pages (podman-volume-create and containers.conf).
Overlay volume mounts
Overlay mounts are a cool little feature which is unique to Podman. Overlay mounts can be used to speed up the build process by 200% or more. With overlay mounts container builds can more safely and easily share a local YUM/DNF cache on the host. This strategy is particularly effective when combined with UBI running on a RHEL host. RHEL provides updates for many years, which is great for security, but also generates a lot of metadata over time as patches are released.
Let’s show a quick example of how you can speed up builds. Run this to build a cache and save all of the packages locally:
podman run -v ~/ubi7:/var/cache/yum:z -ti ubi7 yum update -y --setopt=keepcache=1
Install 38 Packages
Upgrade 27 Packages
Now, test the speed up using overlay mounts. This will simulate a build from within a Dockerfile/Containerfile:
time podman run -v ~/ubi7:/var/cache/yum:O yum update -y -C
We were able to speed a build up by 230% driving the time down from 104 seconds to 45 seconds. As RHEL 8 ages, and there are more packages available, the time and storage resource savings will be even more.
For more information, check out this post by Dan Walsh: Speed up container builds with overlay mounts and the man page (podman-run --volume).
Technology Preview of the crun container runtime
As we look forward to RHEL 9, we are focusing on how best to support more refined resource allocation (CPU, RAM, Disk, Network, etc) with cgroupsv2. We continue to make crun available as a Technology Preview with the intent to make it generally available and enable rock solid support for cgroupsv2 in a future version of RHEL 8 as well as RHEL 9.
We plan to continue to fully support runc in future versions of RHEL 8 as well as RHEL 9. Finally, runc will remain the default for the life of RHEL 8. We plan to introduce crun as an optional container runtime in a future version of RHEL 8 to support elegant new features while still maintaining complete compatibility with OCI standards.
With the release of RHEL 8.4, we continued testing the Podman container image and getting feedback from users. We continue to improve the user experience for this container image and continue to make it available as a Technology Preview.
Podman historically shared the same pause image as upstream Kubernetes. While this is a perfectly fine image, it didn’t meet some stringent security requirements. To solve this, we’ve built a dedicated pause container from RHEL 8 and Red Hat Universal Base Image. We’ve also configured Podman to use this new image when run on a RHEL 8 host.
This covers all of the major new features in the containers subsystem of RHEL 8.4. Stay tuned to the Red Hat Blog for more updates on RHEL containers.