Virtualization/podman
Contents
About
Podman (the POD MANager) is a tool for managing containers and images, volumes mounted into those containers, and pods made from groups of containers. Podman runs containers on Linux, but can also be used on Mac and Windows systems using a Podman-managed virtual machine. Podman is based on libpod, a library for container lifecycle management that is also contained in this repository. The libpod library provides APIs for managing containers, pods, container images, and volumes.
Podman releases a new major or minor release 4 times a year, during the second week of February, May, August, and November. Patch releases are more frequent and may occur at any time to get bugfixes out to users. All releases are PGP signed. Public keys of members of the team approved to make releases are located here.
Installation
Install podman
1 apt install podman
Debian Stable has a quite old version. But there's not really an alternative.
Privileged ports
--privileged containers
- Same rights and capabilities as the user, that the container runs as
- User needs to be privileged to bind to privileged ports
- Container gains additional unnecessary capabilities
-> suboptimal
setcap cap_net_bind_service=ep /usr/bin/rootlesskit
- All containers may bind to privileged ports
-> suboptimal
sysctl net.ipv4.ip_unprivileged_port_start=$PORT_NUMBER
- All containers may bind to specified privileged port
-> suboptimal
- Redirection via firewall
iptables
- deprecated
nftables
redirect to
Special case of dnat to (with target localhost)
dnat to can also NAT to remote addresses
-> optimal
- Local tunnel
Create local tunnel with socat started by systemd
-> optimal
Maintenance
Remove dangling images
Please see:
man 1 podman-images
List dangling images
Please see:
man 1 podman-image-prune
Remove dangling images