Manage pods, containers, and container images.
This project is maintained by the containers organization.
Subscribe to the blog feed.
Podman is a tool for running Linux containers. You can do this from a MacOS desktop as long as you have access to a linux box either running inside of a VM on the host, or available via the network. You need to install the remote client and then setup ssh connection information.
The Mac client is available through Homebrew:
brew cask install podman
Podman is a tool for running Linux containers. You can do this from a Windows desktop as long as you have access to a linux box either running inside of a VM on the host, or available via the network. You need to install the remote client and then setup ssh connection information in the podman-remote.conf file. Podman can also be run in the Windows Subsystem for Linux system, check out the link below to see a description of how this is done.
The Kubic project provides updated packages for CentOS 7 which can be used unmodified on Amazon Linux 2.
sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/devel:kubic:libcontainers:stable.repo
sudo yum -y install yum-plugin-copr
sudo yum -y copr enable lsm5/container-selinux
sudo yum -y install podman
sudo pacman -S podman
If you have problems when running Podman in rootless mode follow the instructions here
Podman is available in the default Extras repos for CentOS 7 and in the AppStream repo for CentOS 8 and Stream. Even though the available version often lags behind the latest upstream release, it’s still the preferable build for production environments.
sudo yum -y install podman
The Kubic project provides updated packages for CentOS 7, 8 and Stream. These packages haven’t been through the official Red Hat QA process and may not be preferable for production environments.
# CentOS 7
sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/devel:kubic:libcontainers:stable.repo
sudo yum -y install podman
# CentOS 8
sudo dnf -y module disable container-tools
sudo dnf -y install 'dnf-command(copr)'
sudo dnf -y copr enable rhcontainerbot/container-selinux
sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8/devel:kubic:libcontainers:stable.repo
sudo dnf -y install podman
# CentOS Stream
sudo dnf -y module disable container-tools
sudo dnf -y install 'dnf-command(copr)'
sudo dnf -y copr enable rhcontainerbot/container-selinux
sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8_Stream/devel:kubic:libcontainers:stable.repo
sudo dnf -y install podman
The libpod package is being worked on for inclusion in the default Debian repos. Relevant status updates can also be found here.
Alternatively, the Kubic project provides packages for Debian 10, testing and unstable.
# Debian Unstable/Sid
echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_Unstable/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_Unstable/Release.key | sudo apt-key add -
# Debian Testing
echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_Testing/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_Testing/Release.key | sudo apt-key add -
# Debian 10
echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/Release.key | sudo apt-key add -
sudo apt-get update -qq
sudo apt-get -qq -y install podman
There are many packages with the libpod prefix available already on Debian. However, those are unrelated to this project.
sudo yum -y install podman
Built-in, no need to install
sudo emerge app-emulation/libpod
Bitbake recipes for podman and its dependencies are available in the meta-virtualization layer. Add the layer to your OpenEmbedded build environment and build podman using:
bitbake podman
sudo zypper install podman
Built-in, no need to install
The Kubic project provides packages for Raspbian 10.
# Raspbian 10
echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Raspbian_10/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Raspbian_10/Release.key | sudo apt-key add -
sudo apt-get update -qq
sudo apt-get -qq -y install podman
Subscribe, then enable Extras channel and install Podman.
sudo subscription-manager repos --enable=rhel-7-server-extras-rpms
sudo yum -y install podman
sudo yum module enable -y container-tools:1.0
sudo yum module install -y container-tools:1.0
The Kubic project provides packages for Ubuntu 18.04, 19.04, 19.10 and 20.04.
. /etc/os-release
echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/Release.key | sudo apt-key add -
sudo apt-get update -qq
sudo apt-get -qq -y install podman
There are many packages with the libpod prefix available already on Ubuntu. However, those are unrelated to this project.
The Kubic project provides updated packages for CentOS 7 which can be used unmodified on Amazon Linux 2.
sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:testing.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/CentOS_7/devel:kubic:libcontainers:testing.repo
sudo yum -y install yum-plugin-copr
sudo yum -y copr enable lsm5/container-selinux
sudo yum -y install podman
Podman is available in the default Extras repos for CentOS 7 and in the AppStream repo for CentOS 8 and Stream, however the available version often lags the upstream release.
The Kubic project provides updated packages for CentOS 7, 8 and Stream.
# CentOS 7
sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:testing.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/CentOS_7/devel:kubic:libcontainers:testing.repo
sudo yum -y install podman
# CentOS 8
sudo dnf -y module disable container-tools
sudo dnf -y install 'dnf-command(copr)'
sudo dnf -y copr enable rhcontainerbot/container-selinux
sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:testing.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/CentOS_8/devel:kubic:libcontainers:testing.repo
sudo dnf -y install podman
# CentOS Stream
sudo dnf -y module disable container-tools
sudo dnf -y install 'dnf-command(copr)'
sudo dnf -y copr enable rhcontainerbot/container-selinux
sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:testing.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/CentOS_8_Stream/devel:kubic:libcontainers:testing.repo
sudo dnf -y install podman
The Kubic project provides RC/testing packages for Debian 10, testing and unstable.
# Debian Unstable/Sid
echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/Debian_Unstable/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:testing.list
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/Debian_Unstable/Release.key | sudo apt-key add -
# Debian Testing
echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/Debian_Testing/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:testing.list
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/Debian_Testing/Release.key | sudo apt-key add -
# Debian 10
echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/Debian_10/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:testing.list
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/Debian_10/Release.key | sudo apt-key add -
sudo apt-get update -qq
sudo apt-get -qq -y install podman
You can test the very latest Podman in Fedora’s updates-testing
repository before it goes out to all Fedora users.
sudo yum distro-sync --enablerepo=updates-testing podman
If you use a newer Podman package from Fedora’s updates-testing, we would
appreciate your +1 feedback in Bodhi, Fedora’s update management
system.
If you are running a non-rawhide Fedora distribution, you can also test the latest packages with our COPR repository.
The Kubic project provides RC/testing packages for Raspbian 10.
# Raspbian 10
echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/Raspbian_10/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:testing.list
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/Raspbian_10/Release.key | sudo apt-key add -
sudo apt-get update -qq
sudo apt-get -qq -y install podman
The Kubic project provides RC/testing packages for Ubuntu 18.04, 19.04, 19.10 and 20.04.
. /etc/os-release
echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/xUbuntu_${VERSION_ID}/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:testing.list
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/testing/xUbuntu_${VERSION_ID}/Release.key | sudo apt-key add -
sudo apt-get update -qq
sudo apt-get -qq -y install podman
Required
Fedora, CentOS, RHEL, and related distributions you should try to run
make package-install which will install dependencies, build the source,
produce rpms for the current platform and install them in the end.
sudo yum install -y \
btrfs-progs-devel \
conmon \
containernetworking-cni \
device-mapper-devel \
git \
glib2-devel \
glibc-devel \
glibc-static \
go \
golang-github-cpuguy83-md2man \
gpgme-devel \
iptables \
libassuan-devel \
libgpg-error-devel \
libseccomp-devel \
libselinux-devel \
make \
pkgconfig \
runc \
containers-common
Debian, Ubuntu, and related distributions:
sudo apt-get install \
btrfs-tools \
git \
golang-go \
go-md2man \
iptables \
libassuan-dev \
libbtrfs-dev \
libc6-dev \
libdevmapper-dev \
libglib2.0-dev \
libgpgme-dev \
libgpg-error-dev \
libprotobuf-dev \
libprotobuf-c0-dev \
libseccomp-dev \
libselinux1-dev \
libsystemd-dev \
pkg-config \
runc \
uidmap
On openSUSE Leap 15.x and Tumbleweed:
sudo zypper -n in libseccomp-devel libgpgme-devel
On Manjaro (and maybe other Linux distributions):
Make sure that the Linux kernel supports user namespaces:
> zgrep CONFIG_USER_NS /proc/config.gz
CONFIG_USER_NS=y
If not, please update the kernel. For Manjaro Linux the instructions can be found here: https://wiki.manjaro.org/index.php/Manjaro_Kernels
After that enable user namespaces:
sudo sysctl kernel.unprivileged_userns_clone=1
To enable the user namespaces permanently:
echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/userns.conf
If any dependencies cannot be installed or are not sufficiently current, they have to be built from source. This will mainly affect Debian, Ubuntu, and related distributions, or RHEL where no subscription is active (e.g. Cloud VMs).
Be careful to double-check that the version of golang is new enough (i.e. go version), version 1.12.x or higher is supported.
If needed, golang kits are available at https://golang.org/dl/. Alternatively, go can be built from source as follows
(it’s helpful to leave the system-go installed, to avoid having to bootstrap go:
export GOPATH=~/go
git clone https://go.googlesource.com/go $GOPATH
cd $GOPATH
git checkout tags/go1.12.17 # optional
cd src
./all.bash
export PATH=$GOPATH/bin:$PATH
The latest version of conmon is expected to be installed on the system. Conmon is used to monitor OCI Runtimes.
To build from source, use the following:
git clone https://github.com/containers/conmon
cd conmon
export GOCACHE="$(mktemp -d)"
make
sudo make podman
The latest version of runc is expected to be installed on the system. It is picked up as the default runtime by Podman.
Version 1.0.0-rc4 is the minimal requirement, which is available in Ubuntu 18.04 already.
To double-check, runc --version should produce at least spec: 1.0.1, otherwise build your own:
git clone https://github.com/opencontainers/runc.git $GOPATH/src/github.com/opencontainers/runc
cd $GOPATH/src/github.com/opencontainers/runc
make BUILDTAGS="selinux seccomp"
sudo cp runc /usr/bin/runc
A proper description of setting up CNI networking is given in the cni README.
A basic setup for CNI networking is done by default during the installation or make processes and no further configuration is needed to start using Podman.
sudo mkdir -p /etc/containers
sudo curl -L -o /etc/containers/registries.conf https://raw.githubusercontent.com/projectatomic/registries/master/registries.fedora
sudo curl -L -o /etc/containers/policy.json https://raw.githubusercontent.com/containers/skopeo/master/default-policy.json
Fedora, CentOS, RHEL, and related distributions:
(no optional packages)
Debian, Ubuntu, and related distributions:
apt-get install -y \
libapparmor-dev
As with other Go projects, Podman must be cloned into a directory structure like:
GOPATH
└── src
└── github.com
└── containers
└── podman
First, ensure that the go version that is found first on the $PATH (in case you built your own; see above) is sufficiently recent -
go version must be higher than 1.12.x). Then we can finally build Podman (assuming we already have a $GOPATH and the corresponding folder,
export GOPATH=~/go && mkdir -p $GOPATH):
git clone https://github.com/containers/podman/ $GOPATH/src/github.com/containers/podman
cd $GOPATH/src/github.com/containers/podman
make BUILDTAGS="selinux seccomp"
sudo make install PREFIX=/usr
Otherwise, if you do not want to build Podman with seccomp or selinux support you can add BUILDTAGS="" when running make.
make BUILDTAGS=""
sudo make install
Podman supports optional build tags for compiling support of various features.
To add build tags to the make option the BUILDTAGS variable must be set, for example:
make BUILDTAGS='seccomp apparmor'
| Build Tag | Feature | Dependency |
|---|---|---|
| apparmor | apparmor support | libapparmor |
| exclude_graphdriver_btrfs | exclude btrfs | libbtrfs |
| exclude_graphdriver_devicemapper | exclude device-mapper | libdm |
| libdm_no_deferred_remove | exclude deferred removal in libdm | libdm |
| seccomp | syscall filtering | libseccomp |
| selinux | selinux process and mount labeling | |
| systemd | journald logging | libsystemd |
Note that Podman does not officially support device-mapper. Thus, the exclude_graphdriver_devicemapper tag is mandatory.
This project is using go modules for dependency management. If the CI is complaining about a pull request leaving behind an unclean state, it is very likely right about it. After changing dependencies, make sure to run make vendor to synchronize the code with the go module and repopulate the ./vendor directory.
It is possible to build a statically linked binary of Podman by using the officially provided nix package and the derivation of it within this repository. The builds are completely reproducible and will create a x86_64/amd64 stripped ELF binary for glibc.
To build the binaries by locally installing the nix package manager:
curl -L https://nixos.org/nix/install | sh
git clone https://github.com/containers/podman.git && cd podman
nix build -f nix/
./result/bin/podman --version
An Ansible Role is also available to automate the installation of the above statically linked binary on its supported OS:
sudo su -
mkdir -p ~/.ansible/roles
cd ~/.ansible/roles
git clone https://github.com/alvistack/ansible-role-podman.git podman
cd ~/.ansible/roles/podman
pip3 install --upgrade --ignore-installed --requirement requirements.txt
molecule converge
molecule verify
/etc/containers/registries.conf
registries.conf is the configuration file which specifies which container registries should be consulted when completing image names which do not include a registry or domain portion.
containers-common package
cat /etc/containers/registries.conf
# This is a system-wide configuration file used to
# keep track of registries for various container backends.
# It adheres to TOML format and does not support recursive
# lists of registries.
# The default location for this configuration file is /etc/containers/registries.conf.
# The only valid categories are: 'registries.search', 'registries.insecure',
# and 'registries.block'.
[registries.search]
registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org']
# If you need to access insecure registries, add the registry's fully-qualified name.
# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
[registries.insecure]
registries = []
# If you need to block pull access from a registry, uncomment the section below
# and add the registries fully-qualified name.
#
[registries.block]
registries = []
/usr/share/containers/mounts.conf and optionally /etc/containers/mounts.conf
The mounts.conf files specify volume mount directories that are automatically mounted inside containers when executing the podman run or podman build commands. Container process can then use this content. The volume mount content does not get committed to the final image.
Usually these directories are used for passing secrets or credentials required by the package software to access remote package repositories.
For example, a mounts.conf with the line “/usr/share/rhel/secrets:/run/secrets”, the content of /usr/share/rhel/secrets directory is mounted on /run/secrets inside the container. This mountpoint allows Red Hat Enterprise Linux subscriptions from the host to be used within the container.
Note this is not a volume mount. The content of the volumes is copied into container storage, not bind mounted directly from the host.
containers-common package:
cat /usr/share/containers/mounts.conf
/usr/share/rhel/secrets:/run/secrets
/usr/share/containers/seccomp.json
seccomp.json contains the whitelist of seccomp rules to be allowed inside of containers. This file is usually provided by the containers-common package.
The link above takes you to the seccomp.json
/etc/containers/policy.json
containers-common package:
cat /etc/containers/policy.json
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports":
{
"docker-daemon":
{
"": [{"type":"insecureAcceptAnything"}]
}
}
}