4 Podman Containers

Use Podman to create, run, and manage containers.

Containers are running instances of images. Each container uses an image as its starting point and then loads into run time by using the parameters that are provided when it's created or run.

Podman can run containers based on images that comply with the Open Container Initiative specification. Most Podman commands map directly to the command equivalents that are available in the Docker CLI.

A key difference between Podman and Docker is that while the Docker Engine runs as a service on the host and all actions are performed by the service, Podman runs as a standalone runtime so that each operation is independent. This difference is important, because it changes the security model around working with images and containers.

As Podman operations aren't dependent on a service daemon running as a particular user on the system, Podman provides more isolated containers than Docker. This also means that you can either run Podman with and without root permissions.

Podman respects user namespaces, so several users on a single host can run their own containers and local image stores without conflicts. Because containers running within a user's namespace are limited to the permissions available to that user on the host system, Podman can be more secure in some scenarios than Docker.

When running Podman as a standard user without root permissions, functionality can be more limited. For example, most container networking is achieved by using port mapping and port forwarding, and workarounds are required to make that functionality available to standard users without compromising broader system security. Many such limitations that arise for a standard user can be mitigated by using the provided network drivers and running groups of containers inside a pod. For more information about networking and Podman, see Podman Networking. For more information about pods, see Podman Pods.

In general, the instructions provided here apply similarly regardless of whether Podman is run by a system administrator or not.

Creating Containers

Create a container from a container image using the podman create command.

You can create a container from an existing image using the podman create command. This creates, but doesn't start a container.

If the image doesn't already exist on the local system, Podman searches the remote registries for a matching image and pulls the image automatically.

The container is created and the container ID is displayed in the output. The container is created with the initial state of Created.

You can specify other options when creating a container, such as whether it belongs to a particular pod or whether it uses a particular network or port mapping. Use the podman help create command to see more information. Options are extensive and can be used to apply a wide range of runtime functionality to any container.

For more information on the podman create command, use the podman-create(1) manual page.

Example 4-1 Create a container from an image

Create a container named oracle from an oraclelinux:9-slim image:

podman create --name oracle oraclelinux:9-slim

Show the container is created by listing all the containers:

podman ps --all

The looks similar to:

CONTAINER ID  IMAGE                                                COMMAND     CREATED         STATUS      PORTS       NAMES
4fbb572f7dcb  container-registry.oracle.com/os/oraclelinux:9-slim  /bin/bash   1 minute ago    Created                 oracle

Running Containers

Podman offers many ways to run a container. The examples here show you a few options.

Use the podman run command to run a container. If you run a container that doesn't already exist, it's created automatically. If the image that the container uses isn't available locally, Podman searches the remote registries for a matching image and pulls the image automatically.

You can create a container and connect to it in a single step by using the -it flag. The -i flag makes the container interactive and -t connects the local terminal to the container. This flag combination is commonly used in conjunction when running a specified shell as part of the podman run command.

You can start a container, and run a single command. When the command is completed, the container is destroyed. Use the podman run command with the --rm flag to do this.

You can also create Podman containers that continue to run as a background daemon by including the -d flag in the command.

If a container runs a shell as the primary process (PID 1) and you intend to detach it, run it with the --stop-signal=SIGHUP command option so that the shell is stopped cleanly when you stop the container. Many shells ignore the default SIGTERM signal when stopping a container. If the correct stop-signal isn't used, the container might return the following error when the container is stopped:

WARN[0010] StopSignal SIGTERM failed to stop container myol9 in 10 seconds, resorting to SIGKILL

For more information on the podman run command, use the podman-run(1) manual page.

Example 4-2 Run a container and run a system command

podman run --rm oraclelinux:9-slim cat /etc/oracle-release

A container is started, and when the system command completes (the cat command in this example), the container is destroyed. The output looks similar to:

Oracle Linux Server release 9.6

Example 4-3 Run a container and connect to the Bash shell

podman run --name oracleshell -it oraclelinux:9-slim /bin/bash

A container is started, and the Bash shell is started. The output looks similar to:

bash-5.1#

You can run system command in the shell. For example:

cat /etc/oracle-release

The output looks similar to:

Oracle Linux Server release 9.6

The container stops as soon as you disconnect by typing exit.

To restart the container and connect to it again, run the podmand start command. For example:

podman start -ai oracleshell

Example 4-4 Running a container in the background

podman run -d --name oracledaemon oraclelinux:9-slim /bin/bash -c 'sleep 1000'

Example 4-5 Running a container with a shell as the primary process

podman run --stop-signal SIGHUP --name myol9 oraclelinux:9-slim

Enabling FIPS Mode in Containers

To run containers in FIPS mode, you must first enable FIPS mode on the Oracle Linux host system.

After you enable FIPS mode on an Oracle Linux host, Podman runs Oracle Linux containers in FIPS mode automatically.

For more information about enabling FIPS mode on Oracle Linux hosts, see the following documents:

• Oracle Linux 8: Enhancing System Security
• Oracle Linux 9: Enhancing System Security
• Oracle Linux 10: Enhancing System Security

Note:

Oracle provides FIPS compliant container images by using the slim-fips tag. Container images tagged as FIPS compliant include compliant cryptographic package versions and initial image setup required for container FIPS mode. If you use these images you don't need to perform any extra steps to configure a container for FIPS mode. See The slim Tag for more information.

Listing and Monitoring Containers

Podman contains various commands to list and monitor containers. The examples here show you a few options.

Example 4-6 List the running containers

You can list all the running Podman containers using the podman ps command. Use the --all flag to also display the stopped and paused containers:

podman ps --all

The command shows similar output to the following:

CONTAINER ID  IMAGE                                                COMMAND               CREATED         STATUS                     PORTS       NAMES
dfb0dc74293a  container-registry.oracle.com/os/oraclelinux:9-slim  /bin/bash             17 minutes ago  Exited (0) 12 minutes ago              oracleshell
1dd4aff270bb  container-registry.oracle.com/os/oraclelinux:9-slim  /bin/bash -c slee...  10 minutes ago  Up 10 minutes                          oracledaemon

Example 4-7 Show container logs

To review the logs generated by a container that has already performed actions, use the podman logs command with the NAME or CONTAINER ID of the container. For example:

podman logs oracleshell

Example 4-8 Show container hardware resources

To review the hardware resource usage statistics for any running container, use the podman stats command. For example:

podman stats oracleshell

The command provides similar output to the following:

ID            NAME         CPU %       MEM USAGE / LIMIT  MEM %       NET IO      BLOCK IO    PIDS        CPU TIME    AVG CPU %
bae740b48b53  oracleshell  0.00%       0B / 0B            0.00%       0B / 0B     0B / 0B     0           0s          0.00%

Note:

To review statistics for containers without root permissions, you need to enable cgroups v2 on the host system. This isn't enabled by default for Oracle Linux 8 hosts, but is enabled default for Oracle Linux 9 and Oracle Linux 10 hosts. For more information about cgroups v2, see Run Control Group Version 2 on Oracle Linux.

Pausing and Resuming Containers

Pause and resume Podman containers using the podman pause and podman unpause commands.

If you need to temporarily halt the operation of a container without destroying its workload, use the podman pause command and specify the container name or ID.

Running the podman pause command freezes all the running processes inside a container, in their current state. When you're ready for the container to resume where it was halted, you can instruct the container to continue with its previous operation from that point by using the podman unpause command with the container name or ID.

For more information on the podman pause command, use the podman-pause(1) manual page. For information on the podman unpause command, use the podman-unpause(1) manual page.

Example 4-9 Pause a container

podman pause mycontainer

Example 4-10 Unpause a container

podman unpause mycontainer

Stopping and Removing Containers

Stop and remove Podman containers using the podman stop and podman rm commands.

To stop a container use the podman stop command with the name or container ID. If you need to temporarily take the server down for maintenance, you can stop every running container that hasn't already been paused by appending the --all flag to the podman stop command:

To delete a container use the podman rm command with the container name or ID. You can also use the --all flag to remove all containers.

For more information on the podman stop command, use the podman-stop(1) manual page. For information on the podman rm command, use the podman-rm(1) manual page.

Example 4-11 Stop a container

podman stop mycontainer

Example 4-12 Stop all containers

podman stop --all

Example 4-13 Remove a container

podman rm mycontainer

Example 4-14 Remove all containers

podman rm --all