Say Goodbye To Root Accounts With Podman!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
is a very popular platform for containers but there's one thing that concerns me about it containers are run using the root account now the developers did make it possible to run containers using a non-root account but that's not part of the default installation process so why not use another platform like podman well what sets podman apart is that it's dless and its default installation makes running containers more secure but how do you install podman and run containers well if that's something that you're interested in finding out then stick around and watch this video as that's what we'll be going over now installing podman onto a Debbie and distro is about as easy as it gets first thing we need to do though is just make sure that our package information is up to date because we want to make sure we get the latest version so running pseudo app update there then what we're going to do is to install podman so pseudo app to install podman and I'm just putting in that Dy parameter just so I don't have to answer it prompt and then off it Goen installs podman well podman has now been installed on the computer but before I actually start to use it there is one last thing that I'm going to do and that is I'm actually going to reboot this computer and the reason being is that if I don't what I found is you actually start to get error messages when you actually try to use the command to run containers for inance instance now running containers with podman is pretty much just the same as it is when you using Docker so for example I'm just going to copy and paste in a command to run an Apache web server for instance so we use podman instead of Docker then we've got run- D because we want this to run in the background- P because we want to specify our ports in this case the actual web server we're going to run is going to be using Port 80 at least from the actual container perspective but we're going to present this to the outside world on port 8080 then we're going to tell it that the name of this is going to be web server then I'm referencing the actual image so I'll hit return and off it will go and download that version of httpd in other words the Apache web server and then once it's got that it'll then actually run that in a container well now that we're back to the command proc we're going to actually test to see if our web server is actually working so for example what we could do is open up the web browser and try to connect to the actual web server through our web browser and there we go it's coming back and seeing it works uh if we go back to the command line on the other hand we can just try the curl command so because this is the actual same computer that we're running a web server on I can just point it to itself so just hit return and there we go we're getting entire HTML code there now if you want to actually have a look and see what containers we're running similar to Docker except we're using podman for the command then PS then dashy as the parameter it's coming back and giving us details of what actual containers we've got running and if we actually want to stop the actual container well podman then stop and then the name of the container so hopefully as you can see this is pretty much just the same as using Docker except we're using the actual podm command now as I was mentioning in the intro one of my concerns around Docker is the fact that with a default installation when you start to actually run containers those are actually being run by the rudant which isn't really good from a security perspective and that's the benefit of podman because it actually runs these as rootless containers it actually runs them using your user account which is a lot better for security so what we're going to do is to actually start our web server up or at least we're going to try because this is a a feature should we say when it comes to podman so this is going to come back with an error message now you don't get this problem with Docker but if I have a look and see what containers we've got it's saying that uh we've got a container which it isn't actually running bu it's called Web Ser that's what it's complaining about is that well the name's already in use for a container I can't create another container cuz the name's already in use so like I say you don't get that issue with Docker but what I'm going to have to do is just clear uh this container so we're using podman container pro- F so I don't have to put a u a response in for a PRT hit return and then it'll clear that container out then what we can do is run our web server again so we'll just wait for that to start up and then what I can do is to use PS EU and have a look at the actual processors that are running so there's all sorts of processes being run here plenty of them to do with Docker in here somewhere and they're all being run by the root account but if you look at our httpd container here it's been run by my user account there are some other IDs that go along with my account so when you create the user account you get um s like your main ID but you you also get a range so what you'll find is you don't just necessarily see your name you'll see other IDs that you've also got access to but essentially this is not actually being run uh by the actual root account and that's the the main uh plus the benefit that pod man's really bringing here I mean what we can do is we can just filter things out and have a look and see what route is actually running so that's ps- for the user account then route let hit return so this is everything that the actual rout accounts up to so like I was saying these are all these things that have been done using Docker at the moment because I've already got Docker installed on this as well but yeah that's the I'd say that's the main benefit that pod man brings is that if you just do that default installation well straight out of the box you'll be able to run your containers with a non rud account which is much much better from a security perspective but in any case there are other things I need to do uh after this so first I'm going to actually stop this web server and then just to make sure that I don't run into any errors I'm going to remove any unused containers using that podman container pre-f command as well now if you prefer to use a compose file to actually store all the details of your containers then we can do that with podman here but first one I need to do is to install podman compon PA so pseudo app install pod man- compose and then just Dash y so I don't have to answer the prompt so needs my password again in and then off it goes and installs that now just like Docker compose podman compose needs a compose file so I'm going to use Nano to create a file and I'm going to call this one compose do yl now compose and podman compose they're based on a standard and there's certain names that they'll work with I don't want to start causing confusion for myself and calling this one dock a-h compose yml although it would work because well I'm using pod man here not Docker so that's why I'm going to call this one composed. yml so I'll hit return then I'll copy and paste in the details which are basically just the same as when you're using uh Docker so we've got our version comp ability at the top that our services section and then you start to Define your container so for this web server that's going to be running Apache or httpd we've got web server here and then we pointing it to the image that we want to use for the container I'm going to give it a name of web server then I'm defining the ports 8080 is going to be the outside Port 80 is the actual container itself uses and I like to be able to um have containers reach started automatically unless I actually manually stop them so when it comes to the restart option I prefer to use unless Dash stopped instead of always so save this file and then what we're going to then do is to run our podman compose command so pod man- compose then up to actually uh run our containers - D to do this in the background then it'll go through that file and it'll basically start up any containers uh that are already running so this comes back with a lot more details than you normally see with Docker Dash compos um in comparison but if we go to our website let just do a hard refresh yep it's still working come back to here um we've actually got podman if I could spell and then ps- a so there you go our actual web servers up except this time we're running it using podman compose now just like with Ducker you can also create your own images and it is actually recommended that you do that so first thing I want to do is to actually create a folder for where we're actually going to store our actual image details uh then we're going to switch over to that [Music] folder and then we need to create our actual Docker file now one thing I'm going to point out is that I've actually named the file Docker file but it's actually capitalized now if you use Docker then normally you just have that in lower case letters but what I found is that if you actually have this in lower case letters it actually generates an error message so do make sure you use that capital D now I'm not going to do anything particularly wonderful here I'm going to keep things as simple as possible so we're just going to use that Apache image and then we're just going to map a local folder into the Container so that we can uh set up our own actual web page for this we'll save that now because I've actually told it to map an actual folder what we're then going to do is actually create that folder and then I'm going to create my actual index file within that folder and again nothing too wonderful here just some basic HTML code then I'm going to save that and then what we're going to do is to they actually build our own image so basically it's the same as when you're using Ducker so in this case it's pod man instead of Ducker and then build DT to give it a tag or label I'm going to call this my Apache I'm not going to bother with an actual version so it'll end up as the latest version and then want to use the existing or present working directory so that's why we've got the path set dot hit return and of it goes and builds our own image well this is now finished and it's actually telling us that it's successfully built an image uh it's called My Apache and it's the latest version but going to check to see what images we've got using podman then image so you'll see that we've got the original Apache image that we downloaded and then there's the one that we've built now the thing is I've already got a web server actually running on this computer so if I try to run the one that we've just created well it'll Clash so for that reason what we're going to do is stop that one then while I'm here I'm just going to remove that container and then what we're going to do is to run a container using the actual uh image that we've just built so pretty much just the same command as we used before except this time I'm going to give it a name of my Apache I'm going to point it to this image that we've created called my Apache that's that one there so hit return and then what I can do is I can just run the curl command for example again it's a it's a container it's running on that same local computer so I can point it a local host you can see it's coming back there with our index results I hit Refresh on there now it's seeing this is my web server so basically it's the same process uh that you use to create images for Docker now Al we're getting better security here by running our containers with a non-rooted count there is a slight catch and that is we can't get access to what are known as privileged ports in other words ports below 1024 so just to demonstrate that what I'm going to do is to just switch back to the parent folder we're then going to stop our container and then I'm just going to clear that out now what I'm going to do is I'm going to try and run that container but instead of mapping it from Port 80 to port 8080 I'm just going to leave it at Port 80 hit return we just wait but basically it'll come back with an error message saying that we can't get access to Ports below 1224 now it's actually telling you there's a file here where it's currently set to a limit of 10,24 and you're going to run into the same problem if you actually set up Docker for instance to give you access to rootless Containers by default you don't have this problem in Docker because everything's been run as root so this is something you need to bear in mind because for example here I'm trying to run a web server now you're most users I would say just not used to typing in a port number in the URL so that's a bit of a problem if if we're forcing them to put in port 8080 each time so these are things you need to bear in mind so there are ways around it one of which as it says is to edit the config file and change the actual limit but what we're going to do is just have a look in this folder here because what you can do is you can actually create your own config file to basically override that and I don't prefer that method because then if this config file ever gets reverted back to the defaults as part of some sort of upgrade at least our changes will stay intact so we're looking in this/ ety CCT L.D folder there's already one uh in here a file called 99- cctl docon what we're going to do is to create our own uh file in there I'm just going to start with 98- containers.com doesn't really matter what you name it to be honest as long as it's something I was meaning to you and then I'm going to paste in I want change which is basically the line that it was referring to now I'm going to set this to a limit of 23 reason being is Port 22 is used by SSH and I don't want to run into the potential uh of a conflict where I've got a container that's Ring some SSH session for instance and it clashes with my actual host computer so that's one reason I want to that in you can set this limit to basically whatever you like you'll look at some examples we'll just set it to zero for instance but I'm just setting it to that higher level above SSH just on the off chance so we'll save that file then what I need to do is to actually get this to reload the config so we're using PSE sudo CIS CDL D system and it basically reloads its configurations which includes that new file that we've just uh created and off it goes and it's saying that how it's changed uh this value to 23 but what you can do to check is to run this command and it'll bring you back all of the actual parameters but I'm using GP to filter them out so that's the only parameter I'm particularly interested in so as you can see it's matching what we've got up here and seeing that that's Now set to 23 so what I want to do I mean if we do podman PS Dash here it's basically got an issue here what I'm going to do is I'm going to stop that and then I'm going to clear that container out and then this time we're going to run it again so again we're mapping it to Port 80 so hit return and there we go so again there's different ways you can check this so I'm just going to use say curl for example now notice I haven't bothered putting in an actual Port because by default with HTTP default Port is 80 uh if we go to the actual web browser here just delete out 8080 there you go it's working again so that's how you can get around about this uh limit of not being able to get access to Ports below 10,24 but there are other things we need to do so I am going to stop this container again since pod man is being fussy I'm going to remove the actual container as well now typically when it comes to Containers you'll want to be running the latest version of the image so when you first set up the container you'll specify you want the latest version and then when you run it then sure enough it should download the latest version the only Trouble Is You you have an image on your computer that's got a tag of latest but over time it actually becomes out of date so you do need to actually keep these images up to date now you can actually do this manually so one way to do that is to first check to see which images are on your computer so we run podman images so we've got one which we actually built ourselves but then we've got another one which we downloaded called httpd so what we could do is actually specify that we want this httpd want to be updated now before you can actually update the image you want to make sure that it's not in use so what we're going to do is run this command hman PS and it'll show us what's actually running and at the moment we don't actually have any containers running but if you did actually have a container running you'd want to stop it using the podman stop command and then You' specify the name of the actual container now in my case we're not running anything so we're okay and good to go in which case if I want to specifically update that actual image I can run this command so podman pull and then we point it to the actual repository where that image is along with the actual name of the image hit return and off it goes now in this case this part of this video we actually originally downloaded this and not too long ago in which case we've already got the latest version so it's gone off and checked but as it's saying well you've already got that anyway so it hasn't actually updated but if your image was out of date then it would get updated and then once you've done that you can then start the container back up again now if you're using podman compos on the other hand you can actually run this command pod man- compose and then pull so if you actually have a look at our compose file here we've already got a container set up which is this cmht ttpd one so if I run that command what it'll do is it'll go off and check uh to see if we can pull down that latest version so P man- compose pull hit return and sure enough off it goes and checks to see if the actual version we've got out a date if it was it would then update so there's different ways you can do this manually you can either specifically select uh the actual image that you want to be updated or as I say if you got uh a component file and using something like pod man compose you can actually get it to update all of these actual images that you're using the only thing You' got to Bear mind is again just make sure that you've actually got those containers stopped before you actually tried to update any images now the main appeal about podman is that you can actually run your containers using a rootless account and that is better for security the only problem is if I actually start up a container on this computer and then reboot the computer well the problem is the actual container doesn't automatically get started so if I do want a container to survive a reboot then I need to create a service first thing I need to do though is to create a new user account so I'm going to call this one podman user although would suggest using something a bit less obvious we'll use the user ad command- M because we want to create a home folder then - s and specify that we want the bash shell just need to provide my password Here for sudo wrs then what I'm going to do is to switch over to that user account go to the home folder now what you do here really is up to you because you could actually set up Individual Services for the actual containers you could set up an actual shelf script and get the servers to run that but because I'm using podman compuse well I'm going to use that so I'm going to create a compose file in this users home folder I'm want to call it composed. yl then I'm just going to copy and paste in same details I used before to set up a web server here so I'll save those details then I'm done with this user so I'm going to exit out next thing I need to do is to create an actual service file so that goes in SL li/ systemd SL system and I'm going to call this pod man- composed. service cuz I'm actually going to get it to run the Pod man- compose command then I'm going to copy and paste in the actual details for this service so when it comes to what we need we need access to the network I want to make sure that the service has been run using the podman user account the type is one shot Mina for exit set the true before we try to run the service I want to do a bit of a cleanup so running podman system prune in-hf in other words I don't want to prompt when the service runs I want it to run pod man- compose I need to point it to the actual file so I'm pointing it to this compose yl file which is in the home folder of our podman user and we want to use up- D in other words we want to start up the containers and we want to do it in the background and then when the server stops I want it all shut down so I'm using pod man- comp holds down so we'll save that file now because we've added a new service we need to update the demon so we're running this command system CDL D- system demon- reload then what we're going to do is to actually make sure that the service is enabled so that it starts automatically and then we'll actually get it to start the service now this is going to take quite a while because the way pod man's working is that every user has their own uh storage if you will so although I've already downloaded that HTTP uh image for instance for this user well the podman user doesn't have it so because I'm starting this service up for the first time it's having to go down uh and pull that actual um image from the internet so for me this is going to take a bit of time so we'll just wait for the actual service to finish well the service did finish and 64 million question now is well is our container actually running well if we run this command podman PS okay we're not seeing any actual containers running well if I run the curl command so we're pointing it back to itself because we're running the container on this computer web serers listening on port 8080 hit return and H we've actually got a web server actually responding and the reason being is that well we run that service using the podman user account but we're actually logged in here using my account and that's something you need to bear in mind if you're used to running Docker with that default installation where everything is run using the root account well you'll be used to just being able to log in as a user and you'll be able to see all the containers running because the root accounts running them in this particular case everything's been run on a per user basis so my account isn't the account that's actually running this container but it is actually up and running as you can see by the fact that well the actual containers responding or least the web server that the container is running is so yeah it's it's something you need to get your head around when it comes to running a a rootless um platform like this where your containers are actually run on a per user account basis and you can have different users running their own containers you won't be able to see what other people are doing uh quite so easily I mean what I could do is use PSA for example and you'll see that there's our httpd um server there actually being run by podman users that is one way to find out I suppose but ultimately we need to know is this actual container going to come back up if we reboot the computer well the computer is now back up and running and I've logged back into it again so what we going to do to check to make sure that our container is open running is to well just simply run the curl command point it back to itself port 8080 hit return and sure enough we're getting a response from the actual web server which is running in that container uh we can also go over to the web browser point this to port 8080 yeah sure enough getting a response on the web browser as well so as you can say by setting up that service to actually run pod man- compose we're able to actually make sure that our actual containers do survive a reboot well hopefully as you can see it's relatively easy to set up and run rootless containers using podman the only catch is if you're only using podman to run containers and you want these to survive a reboot for instance then you'll want to set up a service account to automatically start them now if you prefer to use a graphical user interface over a CLI to manage your containers then you can install podman desktop to do that one thing I haven't touched on mind and something you may want to explore is podman also allows you to group containers into a pod so aside from the security benefits and the simpler installation process I think that's another benefit that podman has to offer over Docker but which do you prefer podman or docker let me know in the comment section down below now if you find this video to be useful then do consider subscribing to the channel as that would really mean a lot to me but it's also a good indicator to let me know how videos like this are helpful too people suches yourselves that are watching in which case thank you on the other hand if you're not ready for that level of commitment then I'd really appreciate it if you could press the like button CU that way that'll help to get the video out to other people that might find it useful as well
Info
Channel: Tech Tutorials - David McKone
Views: 707
Rating: undefined out of 5
Keywords: podman vs docker, podman compose, podman container, install podman on linux, install podman on ubuntu, install podman compose, install podman on ubuntu 22.04, podman rootless, podman rootless systemd, podman rootless setup, podman privileged ports, rootless containers podman, podman how to install, podman how to use, podman build image from dockerfile, podman build dockerfile, bodman build container
Id: 69dADRzXpqk
Channel Id: undefined
Length: 29min 40sec (1780 seconds)
Published: Tue Feb 13 2024
Related Videos
Simplify Ansible Playbook Management with Semaphore
Tech Tutorials - David McKone
2.5K
Docker Tutorial for Beginners - A Full DevOps Course on How to Run Applications in Containers
freeCodeCamp.org
2.5M
Podman Tutorial Zero to Hero | Full 1 Hour Course
Amadeus for Developers
14K
Effortlessly Create Proxmox VE Debian Templates at Lightning Speed with Cloud-Init
Tech Tutorials - David McKone
2.6K
Podman vs. Docker
IBM Technology
53K
Simplifying Containers and Kubernetes on Your Laptop with Podman Desktop - Kevin Dubois, Red Hat
The Linux Foundation
1.2K
Simplify Your Proxmox VE Tasks: Ansible Automation Made Easy
Tech Tutorials - David McKone
4.8K
10 Typical Linux Problems and How to Fix Them
Learn Linux TV
39K
What's On My Home Server? Storage, OS, Media, Provisioning, Automation
Wolfgang's Channel
1M
What is Podman? How is it Different Than Docker?
IBM Technology
29K
Ansible Vault 101: Safely Storing Information in Playbooks
Tech Tutorials - David McKone
521
Is it time to switch from Docker to Podman?
Christian Lempa
187K
you should be using PODMAN
John Hammond
81K
I tried the Cheapest Arduino Alternative (that Nobody heard of)
GreatScott!
233K
Installing Linux The "Right" Way
Chris Titus Tech
560K
Streamline VM Deployment: Ansible Automation for Proxmox VE
Tech Tutorials - David McKone
2.4K
Gleam 1.0 Is Out! (I think I'm in love...)
Theo - t3․gg
97K
It's Making Me REPLACE Docker...
Jim's Garage
40K
Windows Privilege Escalation for Beginners
The Cyber Mentor
63K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.