Container Introduction

This document tries to give a rough overview what containers are and how to use them. For some Policies see ContainerPolicies. For more information on building see ContainerBuilding. For more details on running containers see Kubernetes

Introduction

A container is a technology to run a process isolated from the system it is running on. It is more lightweight than a virtual machine. The buzzword for this is docker.

Docker is a container runtime engine that made container famous (again). It's not the first container engine but it pushed a lot of standardization forward. At gsi we are currently using runc as engine and podman as commandline interface for local containers.

A process requires CPU, ram, application binary and related libraries (packaged into an image). It communicates with other applications via IP. (Show note about storageLess ... For some reason processes want to store data. This is a difficult problem on cluster setups with multiple nodes. During the evaluation we won't provide any persistent storage solution. ) (Show note about desktop applicationsLess ... Note: graphical output (desktop applications) is not really a problem containers try to solve. For this other technologies were invented (flatpak, snap). They use similiar concepts and technologies. But normally are less strictly isolated and have more system privileges ).

Local Container

the only configured system is currently asl503.

Using Containers

Our tool to interact with containers is podman.

[handel@vmlb016 ~]$ podman run -ti busybox:latest /bin/sh
Trying to pull registry.acc.gsi.de/busybox:latest...
Getting image source signatures
Copying blob 138cfc514ce4 done  
Copying blob a3ed95caeb02 done  
Copying blob a3ed95caeb02 done  
Copying blob a3ed95caeb02 done  
Writing manifest to image destination
Storing signatures
/ # 

Congratulations. Your first container is running. We are done.

So what happened? We queried our default container registry (preconfigured to point to registry.acc.gsi.de) for an image called busybox in the latest version. Then we downloaded the parts of this image and executed a shell. And it looks like we have root permissions (the # prompt).

Open a second terminal

[handel@vmlb016 ~]$ podman container list
CONTAINER ID  IMAGE                               COMMAND  CREATED         STATUS             PORTS  NAMES
3c60a5920619  registry.acc.gsi.de/busybox:latest  /bin/sh  18 seconds ago  Up 18 seconds ago         confident_allen
[handel@vmlb016 ~]$ podman image list
REPOSITORY                    TAG      IMAGE ID       CREATED       SIZE
registry.acc.gsi.de/busybox   latest   e7d168d7db45   5 years ago   2.66 MB
[handel@vmlb016 ~]$ 

We have a running container (with a random name as we did not specify one with --name), and an image.

Exit the busybox shell. And check what is left.

[handel@vmlb016 ~]$ podman container list
CONTAINER ID  IMAGE  COMMAND  CREATED  STATUS  PORTS  NAMES
[handel@vmlb016 ~]$ podman image list
REPOSITORY                    TAG      IMAGE ID       CREATED       SIZE
registry.acc.gsi.de/busybox   latest   e7d168d7db45   5 years ago   2.66 MB

No running container, but the image is still here.

The container (named confident_allen) is still here, it's just not running.

[handel@vmlb016 ~]$ podman container list -a
CONTAINER ID  IMAGE                               COMMAND  CREATED         STATUS                     PORTS  NAMES
3c60a5920619  registry.acc.gsi.de/busybox:latest  /bin/sh  6 minutes ago   Exited (0) 4 seconds ago          confident_allen

we can start the container again without creating a new one:

[handel@vmlb016 ~]$ podman start confident_allen
confident_allen
[handel@vmlb016 ~]$ podman attach confident_allen
/ # 

Now exit the busybox shell and cleanup

[handel@vmlb016 ~]$ podman container prune
WARNING! This will remove all stopped containers.
Are you sure you want to continue? [y/N] y
3c60a5920619793025782bd96c019e11a21f2c9d66a85116407707d8d299593d
[handel@vmlb016 ~]$ podman image list
REPOSITORY                    TAG      IMAGE ID       CREATED       SIZE
registry.acc.gsi.de/busybox   latest   e7d168d7db45   5 years ago   2.66 MB
[handel@vmlb016 ~]$ 

Wipe all stopped containers. You could also wipe a specific container (podman container rm confident_allen), but I guess it is rare that you want to reuse an existing container.

The pulled image stays. The next time we create a container using that image, it does not need to download it again. But we can and should also cleanup those images.

[handel@vmlb016 ~]$ podman image list
REPOSITORY                    TAG      IMAGE ID       CREATED       SIZE
registry.acc.gsi.de/busybox   latest   e7d168d7db45   5 years ago   2.66 MB
[handel@vmlb016 ~]$ podman image prune
WARNING! This will remove all dangling images.
Are you sure you want to continue? [y/N] y
[handel@vmlb016 ~]$ podman image list
REPOSITORY                    TAG      IMAGE ID       CREATED       SIZE
registry.acc.gsi.de/busybox   latest   e7d168d7db45   5 years ago   2.66 MB
[handel@vmlb016 ~]$ podman image rm busybox:latest
Untagged: registry.acc.gsi.de/busybox:latest
Deleted: e7d168d7db455c45f4d0315d89dbd18806df4784f803c3cc99f8a2e250585b5b
[handel@vmlb016 ~]$ podman image list
REPOSITORY   TAG   IMAGE ID   CREATED   SIZE
[handel@vmlb016 ~]$ 

There is a difference between named images and anonymous (all our images are currently named, once you start building your own, there will be anonymous ones), dangling images. Prune will only remove dangling images. Specify images by name (busybox), or more detailed by name and tag (busybox:latest) or by checksum (e7d168d7db45).

Creating Container

There are multiple ways to build your own container image. It is possible to create an image interactively. But this is not reproducible or repeatable. For this reason we can write an instruction set called Containerfile. More Details in ContainerBuilding

FROM busybox:latest
RUN touch /my-first-container-image

Create the file using a texteditor (nano Containerfile) and run a build

[handel@vmlb016 ~]$ podman build .
STEP 1: FROM busybox:latest
Getting image source signatures
Copying blob a3ed95caeb02 done
Copying blob a3ed95caeb02 done
Copying blob a3ed95caeb02 done
Copying blob 138cfc514ce4 done
Writing manifest to image destination
Storing signatures
STEP 2: RUN touch /my-first-container-image
STEP 3: COMMIT
--> 8d477e3613f
8d477e3613f699ab03098ae4f816261a5934beac2c2d02a110247db919a4c97e
[handel@vmlb016 ~]$ podman image list
REPOSITORY                    TAG      IMAGE ID       CREATED         SIZE
<none>                        <none>   8d477e3613f6   8 seconds ago   2.65 MB
registry.acc.gsi.de/busybox   latest   e7d168d7db45   5 years ago     2.66 MB
[handel@vmlb016 ~]$ 

we now have an image with the id 8d477e3613f6. Let's run it and see if our file is there

Note: on rerunning the build you will notice that the busybox layers are not downloaded again. They are cached. The final checksum will be different as the touched file has a different date.

[handel@vmlb016 ~]$ podman run -ti 8d477e3613f6
/ # ls -l
total 16
...
-rw-r--r--    1 root     root             0 Apr  1 08:00 my-first-container-image
...
/ # exit
[handel@vmlb016 ~]$ podman container list -a
CONTAINER ID  IMAGE                                                             COMMAND  CREATED         STATUS                    PORTS  NAMES
5cc6fd2d9c60  8d477e3613f699ab03098ae4f816261a5934beac2c2d02a110247db919a4c97e  /bin/sh  27 seconds ago  Exited (0) 7 seconds ago         clever_chaplygin
[handel@vmlb016 ~]$ 

running images by id is a bit annoying, we can add a tag to them. This is a combination of a name and a version seperated by colon. Some container registries have a restriction on the name for harbor it should be project/repository. As in exactly two levels. Version is a string. If no version is given it is assumed latest. (Why is busybox not two levels?Less ... Busybox is a so called library image. Library images have an implicit group library. Full name would be library/busybox. ).

[handel@vmlb016 ~]$ podman image tag 8d477e3613f6 my/app:latest
[handel@vmlb016 ~]$ podman image list
REPOSITORY                    TAG      IMAGE ID       CREATED         SIZE
localhost/my/app              latest   8d477e3613f6   8 minutes ago   2.65 MB
registry.acc.gsi.de/busybox   latest   e7d168d7db45   5 years ago     2.66 MB

and we could have done this during the build

[handel@vmlb016 ~]$ podman build -t my/app:latest .
STEP 1: FROM busybox:latest
STEP 2: RUN touch /my-first-container-image
STEP 3: COMMIT my/app:latest
--> 01733937226
017339372262d95c8160fad0d04fa91be422d16cee27073fffcba9e04bf2ae1f
[handel@vmlb016 ~]$ podman image list
REPOSITORY                    TAG      IMAGE ID       CREATED          SIZE
localhost/my/app              latest   017339372262   3 seconds ago    2.65 MB
<none>                        <none>   8d477e3613f6   16 minutes ago   2.65 MB
registry.acc.gsi.de/busybox   latest   e7d168d7db45   5 years ago      2.66 MB
[handel@vmlb016 ~]$ podman container list -a
CONTAINER ID  IMAGE                                                             COMMAND  CREATED         STATUS                     PORTS  NAMES
5cc6fd2d9c60  8d477e3613f699ab03098ae4f816261a5934beac2c2d02a110247db919a4c97e  /bin/sh  17 minutes ago  Exited (0) 16 minutes ago         clever_chaplygin

The tag my:latest now points to an image id 017339372262 and our previous image 8d477e3613f6 lost it. But it is still there. As is our container which is using it.

Time to clean up.

[handel@vmlb016 ~]$ podman image rm 8d477e3613f6
Error: could not remove image 8d477e3613f699ab03098ae4f816261a5934beac2c2d02a110247db919a4c97e as it is being used by 1 containers
[handel@vmlb016 ~]$ podman container prune
WARNING! This will remove all stopped containers.
Are you sure you want to continue? [y/N] y
5cc6fd2d9c60f60b305cc6be910722cc84ca79f484ea791c848686403beb4401
[handel@vmlb016 ~]$ podman image prune

WARNING! This will remove all dangling images.
Are you sure you want to continue? [y/N] y
8d477e3613f699ab03098ae4f816261a5934beac2c2d02a110247db919a4c97e
[handel@vmlb016 ~]$ podman image list
REPOSITORY                    TAG      IMAGE ID       CREATED         SIZE
localhost/my/app              latest   017339372262   3 minutes ago   2.65 MB
registry.acc.gsi.de/busybox   latest   e7d168d7db45   5 years ago     2.66 MB
[handel@vmlb016 ~]$ 

we could not delete the 8d477e3613f6, as our container still existed, even if it has terminated. So first prune all stopped containers, then prune all images without a tag, and finaly check what is left.

Once our image is complete we want to publish it. This means pushing (uploading) it to a ContainerRegistry. Before continuing see also ContainerRegistry#Authentication otherwise the push might fail because you are "unauthorized".

[handel@vmlb016 ~]$ podman image push my/app:latest registry.acc.gsi.de/my/app:latest
Getting image source signatures
Copying blob 44c2569c4504 done  
Copying blob 5f70bf18a086 done  
Copying blob cbce77eb8770 done  
Copying blob 5f70bf18a086 done  
Copying blob 5f70bf18a086 done  
Copying config 0173393722 done  
Writing manifest to image destination
Storing signatures

now we wipe everything we have localy, download and run it again

[handel@vmlb016 ~]$ podman container prune -f
[handel@vmlb016 ~]$ podman image rm -af
e7d168d7db455c45f4d0315d89dbd18806df4784f803c3cc99f8a2e250585b5b
017339372262d95c8160fad0d04fa91be422d16cee27073fffcba9e04bf2ae1f
[handel@vmlb016 ~]$ podman image pull my/app:latest
Trying to pull registry.acc.gsi.de/my/app:latest...Getting image source signatures
Copying blob 7f3101d77f2a done
Copying blob 12e4f9a01a0f done
Copying blob 4ca545ee6d5d done
Copying blob 4ca545ee6d5d done
Copying blob 4ca545ee6d5d done
Copying config add8ee6de6 done
Writing manifest to image destination
Storing signatures
add8ee6de612a59aee4173290689423d64adfdcba1d45b03be89877ff2a500b1
[handel@vmlb016 ~]$ podman run -ti my/app:latest
/ # ls -l
total 16
...
-rw-r--r--    1 root     root             0 Apr  1 09:07 my-first-container-image
...
/ # exit
[handel@vmlb016 ~]$ 

We could skip the explicit pull step, a missing image is automatically pulled.

For more information read ContainerBuilding.