Summary
Podman is an engine for virtualization to create and maintain containers on virtual machines. It is developed by Red Hat and published as an open source software (OSS) under Apache License v2.0. The source code is written in Golang.
As I wrote before, it is cross-platform and also developed with mind to make it highly compatible with Docker.
This post shows how to install Podman on Artix Linux, based on Arch Linux and systemd-free.
Environment
- OS: Artix Linux (based on Arch Linux) where I chose OpenRC as init system
- Virtualization: Podman 4.3.1
Tutorial
* doas
(OpenDoas) can be replaced with sudo
.
Install via Pacman
Thanks to their package management system, pacman delivers Podman with a simple command line.
$ doas pacman -Sy podman
Printed as below to ask you. I chose the default:
:: Synchronizing package databases...
(...)
resolving dependencies...
:: There are 3 providers available for container-network-stack:
:: Repository galaxy
1) cni-plugins
:: Repository community
2) cni-plugins 3) netavark
Enter a number (default=1):
Then followed by:
looking for conflicting packages...
Packages (14) catatonit-0.1.7-2 cni-plugins-1.2.0-2 conmon-1:2.1.5-1 containers-common-1:0.50.1-2
criu-3.17.1-1 crun-1.7.2-1 libslirp-4.7.0-1 nftables-1:1.0.6-1 protobuf-c-1.4.1-1
python-protobuf-21.12-1 python-six-1.16.0-6 slirp4netns-1.2.0-1 yajl-2.1.0-5
podman-4.3.1-2
Total Download Size: 30.62 MiB
Total Installed Size: 177.23 MiB
:: Proceed with installation? [Y/n] y
The installation started and the output was:
:: Retrieving packages...
podman-4.3.1-2-x86_64 16.2 MiB 2.51 MiB/s 00:06 [#################################] 100%
(...)
Total (14/14) 30.6 MiB 1457 KiB/s 00:22 [#################################] 100%
(14/14) checking keys in keyring [#################################] 100%
(...)
(14/14) checking available disk space [#################################] 100%
:: Processing package changes...
( 1/14) installing catatonit [#################################] 100%
(...)
(14/14) installing podman [#################################] 100%
Optional dependencies for podman
apparmor: for AppArmor support
btrfs-progs: support btrfs backend devices [installed]
cni-plugins: for an alternative container-network-stack implementation [installed]
podman-compose: for docker-compose compatibility
podman-docker: for Docker-compatible CLI
:: Running post-transaction hooks...
(1/1) Creating temporary files...
Confirm Kernel parameters
kernel.unprivileged_userns_clone
must be enabled.
Check unprivileged_userns_clone
is set to 1 instead of 0:
sysctl kernel.unprivileged_userns_clone
The output was:
kernel.unprivileged_userns_clone = 1
OK.
Install QEMU
To manage Podman virtual machines, QEMU, a "generic and open source machine emulator and virtualizer", is required.
It's available via Pacman, too. Let's install it:
$ doas pacman -Sy qemu-base
Printed as below to ask you. It's all right to choose the default:
:: Synchronizing package databases...
(...)
:: There are 2 providers available for libwolfssl.so=35-64:
:: Repository world
1) wolfssl
:: Repository extra
2) wolfssl
Enter a number (default=1):
The output was:
looking for conflicting packages...
Packages (44) capstone-4.0.2-6 dtc-1.6.1-4 edk2-ovmf-202211-3 libcacard-2.7.0-2.1 libnfs-5.0.2-1
liburing-2.3-1 multipath-tools-0.9.4-1 numactl-2.0.16-1 qemu-audio-spice-7.2.0-3
qemu-block-curl-7.2.0-3 qemu-block-dmg-7.2.0-3 qemu-block-nfs-7.2.0-3
qemu-block-ssh-7.2.0-3 qemu-chardev-spice-7.2.0-3 qemu-common-7.2.0-3
qemu-hw-display-qxl-7.2.0-3 qemu-hw-display-virtio-gpu-7.2.0-3
qemu-hw-display-virtio-gpu-gl-7.2.0-3 qemu-hw-display-virtio-gpu-pci-7.2.0-3
qemu-hw-display-virtio-gpu-pci-gl-7.2.0-3 qemu-hw-display-virtio-vga-7.2.0-3
qemu-hw-display-virtio-vga-gl-7.2.0-3 qemu-hw-s390x-virtio-gpu-ccw-7.2.0-3
qemu-hw-usb-host-7.2.0-3 qemu-hw-usb-redirect-7.2.0-3 qemu-hw-usb-smartcard-7.2.0-3
qemu-img-7.2.0-3 qemu-pr-helper-7.2.0-3 qemu-system-x86-7.2.0-3
qemu-system-x86-firmware-7.2.0-3 qemu-tools-7.2.0-3 qemu-ui-curses-7.2.0-3
qemu-ui-opengl-7.2.0-3 qemu-ui-spice-app-7.2.0-3 qemu-ui-spice-core-7.2.0-3
qemu-virtiofsd-7.2.0-3 seabios-1.16.1-1 snappy-1.1.9-2 spice-0.15.1-1
usbredir-0.13.0-1 vde2-2.3.3-3 virglrenderer-0.10.4-1 wolfssl-5.5.4-1
qemu-base-7.2.0-3
Total Download Size: 30.00 MiB
Total Installed Size: 138.25 MiB
:: Proceed with installation? [Y/n] y
:: Retrieving packages...
edk2-ovmf-202211-3-any 15.2 MiB 2.11 MiB/s 00:07 [#################################] 100%
(...)
Total (44/44) 30.0 MiB 528 KiB/s 00:58 [#################################] 100%
(44/44) checking keys in keyring [#################################] 100%
(...)
(44/44) checking available disk space [#################################] 100%
:: Processing package changes...
( 1/44) installing numactl [#################################] 100%
(...)
(44/44) installing qemu-base [#################################] 100%
Optional dependencies for qemu-base
qemu-audio-alsa: for ALSA audio driver
(...)
qemu-virtiofsd: for virtio-fs shared filesystem daemon [installed]
samba: for SMB/CIFS server support
:: Running post-transaction hooks...
(1/5) Creating system user accounts...
Creating group 'qemu' with GID 973.
Creating user 'qemu' (QEMU user) with UID 973 and GID 973.
(2/5) Creating temporary files...
(3/5) Reloading device manager configuration...
(4/5) Updating icon theme caches...
(5/5) Updating the desktop file MIME type cache...
Troubleshooting
QEMU base installation above probably prevents the error below:
$ podman machine init
Error: exec: "qemu-system-x86_64": executable file not found in $PATH
Install additional dependencies
According to Arch Linux's Podman wiki, it is necessary to install fuse-overlayfs
, "FUSE implementation of overlayfs", and slirp4netns
, "User-mode networking for unprivileged network namespaces".
The latter came with Podman installation, but the former didn't. So let's install it:
$ doas pacman -Sy fuse-overlayfs
The output was:
:: Synchronizing package databases...
(...)
resolving dependencies...
looking for conflicting packages...
Packages (1) fuse-overlayfs-1.10-1
Total Installed Size: 0.11 MiB
:: Proceed with installation? [Y/n] y
(...)
(1/1) installing fuse-overlayfs [#####################################] 100%
Configure Podman
containers.conf
Artix is systemd-free. So, we have to tell Podman containers so. Edit the conf:
$ # make a backup
$ doas cp -p /etc/containers/containers.conf /etc/containers/containers.conf.org
$ # edit
$ doas nvim /etc/containers/containers.conf
to write as below in [engine]
section:
#cgroup_manager = "systemd"
+ cgroup_manager = "cgroupfs"
uid / gid
Since Podman works in rootless mode by default, you have to prepare user / group for it.
/etc/subuid
and /etc/subgid
are the configuration files. Append your login user definition to them like:
+ {your-user}:100000:65536
Podman system migration
Run:
$ podman system migrate
The output was:
WARN[0000] "/" is not a shared mount, this could cause issues or missing mounts with rootless containers
The warning occurred because of lack of buildah
of Containers. It can be fixed by installing it beforehand.
Initialize virtual machine
Now podman is ready to create your first virtual machine !! Run:
$ podman machine init
The output was:
Downloading VM image: fedora-coreos-37.20230110.2.0-qemu.x86_64.qcow2.xz: done
Extracting compressed file
Image resized.
Error: exec: "timedatectl": executable file not found in $PATH
The error above was due to that OpenRC doesn't have timedatectl
of systemd to customize Timezone 😅
How in the world is the current situation ?
The virtual machine was created but its ignition file was not due to the error above.
It is fatal, not always but sometimes. It's better to fix it. I'll show how to do it in another post.
Manage container images
Now you can pull container images from hosting services. For example, let's get Alpine Linux, one of the most popular, from Docher Hub:
$ podman pull docker.io/alpine
Got 😉 ? In my case, the output was:
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob (...)
Copying config (...)
Writing manifest to image destination
Storing signatures
(...)
Can make it a bit more convenient
Besides, if you want to omit docker.io/
, edit registries.conf
:
$ # make a backup
$ doas cp -p /etc/containers/registries.conf /etc/containers/registries.conf.org
$ # edit
$ doas nvim /etc/containers/registries.conf
to append the lines to the bottom:
+ [registries.search]
+ registries = ['docker.io']
Run web server for testing
We are ready although there are some which it's better to fix. Let's run a container and have fun.
Get Apache httpd server on Alpine:
$ podman pull docker.io/httpd:alpine
Then run it:
$ podman run -p 8080:80 httpd:alpine
Access to http://127.0.0.1:8080
with your browser.
You will see... 😄
Conclusion
Podman is developed with mind of security and stablity. First, Podman is daemon-less. The containers on the virtual machine benefit from it, for they are not often affected by another. Additionally, they are rootless by default, which makes running them more secure.
Hope that Podman brings environments which are reusable and isolated as possible, and you get advanced productivity or operation.