1
pengenalan container
- container menggunakan fitur kernel linux
- misalnya seperti namespace dan Grup Kontrol (cgroups)
- OCI (Open Container Initiative)
- organisasi tata kelola yang mendefinisikan standar untuk membuat dan menjalankan kontainer.
image
- runc
- podman
- CRI-O
pengenalan kubernetes, openshift
- kubernetes
- adalah platform orkestrasi kontainer sumber terbuka yang mengotomatiskan penerapan, penskalaan, dan pengelolaan aplikasi dalam kontainer.
- Ini menyediakan fungsionalitas inti yang diperlukan untuk mengelola kontainer, tetapi memerlukan alat dan integrasi tambahan untuk membuat platform siap perusahaan yang lengkap
- openshift adalah distribusi kubernetes
- dan artinya kita memiliki kubernetes dalam openshift
- OpenShift, yang dikembangkan oleh Red Hat, adalah platform aplikasi tingkat perusahaan komprehensif yang dibangun di atas Kubernetes.
- Ini termasuk Kubernetes sebagai intinya tetapi menambahkan banyak fitur dan alat tambahan untuk memberikan solusi yang lebih lengkap untuk mengelola aplikasi dalam kontainer
Kubernetes dan Red Hat OpenShift Container Platform (RHOCP)
- feature RHOCP
- Remote management
- Multiple tenants
- Increased security
- Continuous integration
- Continuous development
2
ansible (opsional)
- example
git clone repo_ansible.git cd repo_ansible ansible-playbook playbook.yaml
podman
- Podman adalah alat open source yang dapat Anda gunakan untuk mengelola kontainer Anda secara lokal. Dengan Podman, Anda dapat menemukan, menjalankan, membangun, atau menerapkan kontainer OCI (Open Container Initiative) dan citra kontainer.
- Secara default, Podman tidak memiliki daemon. Daemon adalah proses yang selalu berjalan dan siap untuk menerima permintaan yang masuk. Beberapa alat kontainer lainnya menggunakan daemon untuk memproksikan permintaan, yang membawa satu titik kegagalan. Selain itu, daemon mungkin memerlukan hak istimewa yang ditingkatkan, yang merupakan masalah keamanan. Podman berinteraksi langsung dengan kontainer, gambar, dan registri tanpa daemon.
- Podman hadir dalam bentuk antarmuka baris perintah (CLI), yang didukung untuk beberapa sistem operasi. Bersama dengan CLI, Podman menyediakan dua cara tambahan untuk berinteraksi dengan kontainer Anda dan mengotomatiskan proses, RESTful API dan aplikasi desktop yang disebut Podman Desktop.
command
podman -v
podman pull registry.redhat.io/rhel7/rhel:7.9
podman images
podman run registry.redhat.io/rhel7/rhel:7.9 echo 'Red Hat' # run foregond
podman ps
podman ps -a
podman run --rm registry.redhat.io/rhel7/rhel:7.9 echo 'Red Hat' ## run and remove
podman ps --all --format=json
podman run -d # detecth (latar belakang)
podman run -p 8081:80 # port forwading
podman run -e NAME='Red Hat' # environment
podman-desktop
lab 1
podman run --rm registry.ocp4.example.com:8443/ubi8/ubi-minimal:8.5 \
echo 'Hello Red Hat'
podman run --rm -e GREET=Hello -e NAME='Red Hat' \
registry.ocp4.example.com:8443/ubi8/ubi-minimal:8.5 printenv GREET NAME
podman run --rm -p 8080:8080 \
registry.ocp4.example.com:8443/ubi8/httpd-24
podman network
- need 2 network
- UI networok
- API network
- ketika kita membuat container tanpa menambahkan network maka otomatis akan menggunakan podman
- network podman tidak mengaktifkan dns secara default
- sedangkan network yang telah dibuat memiliki dns
command
podman network create
podman network ls
podman network inspect
podman network rm
podman network prune
podman network connect # Menghubungkan kontainer yang sudah berjalan ke atau dari jaringan yang ada. Atau, sambungkan kontainer ke jaringan Podman
podman network create example-net
podman run -d --name my-container --net example-net container-image:latest
podman run -d --name double-connector --net postgres-net,redis-net\
container-image:latest # multiple net
podman network connect example-net my-container
podman port -a
podman port <name_container>
lab 2
grep -i listen podman-info-times/app/main.go
cat podman-info-times/Containerfile
podman network inspect podman | jq .[].subnets
podman network inspect podman | jq .[].dns_enabled
podman network create cities
podman run --name times-app \
--network cities -p 8080:8080 -d \
registry.ocp4.example.com:8443/redhattraining/podman-info-times:v0.1
podman inspect times-app \
-f ''
podman inspect times-app | jq .[].NetworkSettings.Networks.cities
podman access
- Proses Push ke Registry
- Saat kamu push sebuah container image, registry akan menyimpan setiap layer secara terpisah berdasarkan hash uniknya. Jika ada layer yang sudah ada (misalnya foo dan bar), registry tidak akan menyimpannya lagi, hanya layer baru seperti baz atau zab yang akan diunggah. Ini membantu menghemat ruang penyimpanan.
- Proses Pull dari Registry
- Ketika kamu pull sebuah image, Docker akan memeriksa apakah layer tertentu seperti foo dan bar sudah ada di sistem lokal. Jika iya, Docker hanya akan mengambil layer yang belum ada, seperti zab. Ini membuat proses pull menjadi lebih cepat dan efisien.
- Lower Dir : directory full lokasi path nya
- MergerDir : directory default ketika buat image
- UpperDir : directory yang sudah diubah
-
WorkDir : directory yang sedang digunakan
- command
```bash
interaksi dengan container terakhir bisa gunakan -l
podman exec httpd cat /etc/httpd/conf/httpd.conf podman exec -l cat /etc/httpd/conf/httpd.conf podman exec -il /bin/bash # interactive sessions ls pwd
podman exec -it -l /bin/bash interactive with tty bash-4.4$ ls
podman cp [options] [container:]source_path [container:]destination_path podman cp a3bd6c81092e:/tmp/logs . # cp to host podman cp nginx.conf nginx:/etc/nginx # cp from host to container podman cp nginx-test:/etc/nginx/nginx.conf nginx-proxy:/etc/nginx # cp from container to container
## lab 3
```bash
podman run --name nginx -d -p 8080:8080 \
registry.ocp4.example.com:8443/redhattraining/podman-nginx-helloworld
podman cp nginx:/var/log/nginx/error.log error.log
podman cp nginx:/etc/nginx/nginx.conf . # copy to host
podman cp nginx.conf nginx:/etc/nginx # copy to container
podman exec nginx nginx -s reload
lab 4
podman run --name httpd -d -p \
8080:8080 registry.ocp4.example.com:8443/ubi8/httpd-24
podman ps
podman inspect --format='' httpd # running
podman inspect --format='' httpd # true
podman stop -l
podman inspect --format='' httpd # exited
podman inspect --format='' httpd # false
podman restart httpd # running
podman rm httpd
podman rm httpd --force # remove meskipun running status
podman run --name greeter -d \
registry.ocp4.example.com:8443/redhattraining/podman-greeter-ignore-sigterm
podman stop greeter --time=5
podman restart greeter
podman kill greeter # kill signal jadi restartnya tidak akan jadi
lab soal
lab start basics-podman
podman cp basics-podman-secret:/etc/secret-file solution ~/DO188/labs/basics-podman/solution
podman network create lab-net
podman run -d --name basics-podman-server \
--net lab-net -p 8080:8080 registry.ocp4.example.com:8443/ubi8/httpd-24
podman cp index.html basics-podman-server:/var/www/html/
podman run -d --name basics-podman-client \
--net lab-net registry.ocp4.example.com:8443/ubi8/httpd-24
podman network inspect lab-net
podman exec basics-podman-client \
curl -s http://basics-podman-server:8080 && echo
3
registery
# registry.redhat.io/ubi8/ubi:8.6
# registery / namespace / image : tag
# registry.access.redhat.com: requires no authentication
# registry.redhat.io: requires authentication
vi /etc/containers/registries.conf
# list
unqualified-search-registries == ['registry.redhat.io', 'docker.io']
# block
[[registry]]
location="docker.io"
blocked=true
skopoe
skopeo inspect \
docker://registry.access.redhat.com/ubi9/nodejs-18
skopeo copy \
docker://registry.access.redhat.com/ubi9/nodejs-18 \
dir:/var/lib/images/nodejs-18
podman login
cat ${XDG_RUNTIME_DIR}/containers/auth.json
lab 1
lab start images-basics
oc login -u admin -p redhatocp \
https://api.ocp4.example.com:6443
podman login -u $(oc whoami) -p $(oc whoami -t) \
default-route-openshift-image-registry.apps.ocp4.example.com
podman login -u developer -p developer \
registry.ocp4.example.com:8443
RHOCP_REGISTRY="default-route-openshift-image-registry.apps.ocp4.example.com"
skopeo copy --dest-tls-verify=false \
docker://${RHOCP_REGISTRY}/default/python:3.9-ubi8 \
docker://registry.ocp4.example.com:8443/developer/python:3.9-ubi8
## In a web browser, navigate to https://registry.ocp4.example.com:8443 and log in with the user developer and password developer.
## Type developer in the Filter Repositories field, then click the developer/python repository.
## Click the Settings icon at the bottom of the page. Scroll to the Repository Visibility settings and click Make Public. Then, click OK.
podman logout --all
podman pull \
registry.ocp4.example.com:8443/developer/python:3.9-ubi8
podman run --rm \
registry.ocp4.example.com:8443/developer/python:3.9-ubi8 python3 --version
manage images
# [<image repository>/<namespace>/]<image name>[:<tag>]
podman image tag LOCAL_IMAGE:TAG LOCAL_IMAGE:NEW_TAG
podman search nginx
podman build --file Containerfile \
--tag quay.io/YOUR_QUAY_USER/IMAGE_NAME:TAG
podman push quay.io/YOUR_QUAY_USER/IMAGE_NAME:TAG
podman image rm -f REGISTRY/NAMESPACE/IMAGE_NAME:TAG
podman rmi --all
podman image rm --all
podman image prune
podman image prune -a
podman image prune -af
podman export -o mytarfile.tar fb601b05cd3b
podman import mytarfle.tar httpdcustom:2.4
lab 2
lab start images-managing
podman image ls --format ""
cd ~/DO188/labs/images-managing
podman build -f Containerfile -t \
simple-server
podman image ls
podman run -d \
-p 8080:8000 \
--name http-server \
simple-server
curl http://localhost:8080/hello.html
podman image inspect simple-server \
--format=""
podman image tag simple-server \
simple-server:0.1
podman image ls
podman image rm simple-server
podman image rm simple-server:0.1
podman image rm -f simple-server:0.1
lab soal
lab start images-lab
podman login -u developer -p developer registry.ocp4.example.com:8443
cd ~/DO188/labs/images-lab
podman build --file Containerfile --tag registry.ocp4.example.com:8443/developer/images-lab
podman push registry.ocp4.example.com:8443/developer/images-lab
podman tag registry.ocp4.example.com:8443/developer/images-lab registry.ocp4.example.com:8443/developer/images-lab:grue
podman push registry.ocp4.example.com:8443/developer/images-lab:grue
podman run -d --name images-lab -p 8080:8080 images-lab:grue
curl localhost:8080
lab finish images-lab
4
Containerfile
# This is a comment line 1
FROM registry.redhat.io/ubi8/ubi:8.6 2
LABEL description="This is a custom httpd container image" 3
RUN yum install -y httpd 4
EXPOSE 80 5
ENV LogLevel "info" 6
ADD http://someserver.com/filename.pdf /var/www/html 7
COPY ./src/ /var/www/html/ 8
USER apache 9
ENTRYPOINT ["/usr/sbin/httpd"] 10
CMD ["-D", "FOREGROUND"]
man Containerfile
lab 1
lab start custom-containerfiles
cat > Containerfile << EOF
FROM registry.ocp4.example.com:8443/redhattraining/podman-ubi9.2
COPY . /tmp/hello-server
RUN dnf module enable -y nodejs:18
RUN dnf install -y nodejs
RUN cd /tmp/hello-server && npm install
CMD cd /tmp/hello-server && npm start
EOF
podman build -t hello-server:bad .
podman run -d --rm --name hello-bad -p 3000:3000 hello-server:bad
curl http://localhost:3000/greet ;echo
podman image tree hello-server:bad
cat > Containerfile << EOF
FROM registry.ocp4.example.com:8443/redhattraining/podman-ubi9.2
WORKDIR /tmp/hello-server
COPY ..
RUN dnf module enable -y nodejs:18 && \
dnf install -y nodejs && \
npm install
CMD npm start
EOF
podman build -t hello-server:better .
podman image tree hello-server:better
podman run -d --rm --name hello-better -p 3000:3000 hello-server:better
curl http://localhost:3000/greet ;echo
podman stop hello-better
cat > Containerfile << EOF
FROM registry.ocp4.example.com:8443/ubi9/nodejs-18:1
LABEL org.opencontainers.image.authors="aria"
LABEL com.example.environment="production"
LABEL com.example.version="0.0.1"
ENV SERVER_PORT=3000
ENV NODE_ENV="production"
EXPOSE $SERVER_PORT
WORKDIR /opt/app-root/src
COPY . .
RUN npm install
CMD npm start
EOF
podman build -t hello-server:best .
podman inspect hello-server:best -f ''
podman run -d --rm --name hello-best -p 3000:3000 hello-server:best
curl http://localhost:3000/greet ;echo
podman stop hello-best
advance container file
# ENV
ENV DB_HOST="database.example.com"
##
from os import environ
DB_HOST = environ.get('DB_HOST')
# Connect to the database at DB_HOST...
##
## ARG
ARG key[=default value]
ARG VERSION="1.16.8" \
BIN_DIR=/usr/local/bin/
ENV VERSION=${VERSION} \
BIN_DIR=${BIN_DIR}
RUN curl "https://dl.example.io/${VERSION}/example-linux-amd64" \
-o ${BIN_DIR}/example
ARG VERSION \
BIN_DIR
ENV VERSION=${VERSION:-1.16.8} \
BIN_DIR=${BIN_DIR:-/usr/local/bin/}
RUN curl "https://dl.example.io/${VERSION}/example-linux-amd64" \
-o ${BIN_DIR}/example
## volume
FROM registry.redhat.io/rhel9/postgresql-13:1
VOLUME /var/lib/pgsql/data
podman volume prune
podman volume create VOLUME_NAME
podman volume ls --format="\t"
## ENTRYPOINT
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.5
ENTRYPOINT ["echo", "Hello"]
podman run my-image # Hello
podman run my-image Red Hat # Hello Red Hat
## CMD
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.5
CMD ["echo", "Hello", "Red Hat"]
podman run my-image # Hello Red Hat
podman run my-image whoami # root
## BOTH (ENTRYPOINT AND CMD)
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.5
ENTRYPOINT ["echo", "Hello"]
CMD ["Red", "Hat"]
podman run my-image # Hello Red Hat
podman run my-image Podman # Hello Podman
## Text Array
ENTRYPOINT ["executable", "param1", ... "paramN"]
# string form
CMD executable param1 ... paramN
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.5
LABEL GREETING="World"
ENTRYPOINT echo Hello "${GREETING}"
podman run my-image # Hello
podman run my-image env # Hello
podman run --entrypoint env my-image
# show env
## Podman Secrets
echo "R3d4ht123" > dbsecretfile
podman secret create dbsecret dbsecretfile
printf "R3d4ht123" | podman secret create dbsecret2 - # 875a1e46fa64639756968c644
podman secret ls
podman secret rm dbsecret2
podman run -it --secret dbsecret --name myapp registry.access.redhat.com/ubi8/ubi /bin/bash
cat /run/secrets/dbsecret
## multistage build
# First stage
FROM registry.access.redhat.com/ubi8/nodejs-14:1 as builder 1
COPY ./ /opt/app-root/src/
RUN npm install
RUN npm run build 2
# Second stage
FROM registry.access.redhat.com/ubi8/nginx-120 3
COPY --from=builder /opt/app-root/src/ /usr/share/nginx/html
podman build -t localhost/not-squashed .
podman build --squash -t localhost/squashed .
podman build --squash-all -t localhost/squashed-all .
podman images --format="\t"
[localhost/not-squashed:latest] 419 MB 1
[localhost/squashed:latest] 419 MB 2
[localhost/squashed-all:latest] 394 MB 3
lab 2
lab start custom-advanced
cd ~/DO188/labs/custom-advanced
cat > Containerfile << EOF
FROM registry.ocp4.example.com:8443/redhattraining/podman-random-numbers as generator
RUN python3 random_generator.py
FROM registry.ocp4.example.com:8443/ubi8/python-38:1-96
ENV FILE="/redhat/materials/numbers.txt"
USER default
WORKDIR /redhat
COPY --from=generator --chown=default /app/numbers.txt materials/numbers.txt
COPY main.py .
VOLUME /redhat/materials
CMD python3 main.py
EOF
podman build -t redhat-local/custom-advanced .
podman run --rm --name=custom-advanced redhat-local/custom-advanced
# Current content: ['17 72 97 8 32 15 63 97 57']
rootles podman
# change contaienr user
## default
podman run registry.access.redhat.com/ubi9/ubi id
FROM registry.access.redhat.com/ubi9/ubi
CMD ["python3", "-m", "http.server"]
FROM registry.access.redhat.com/ubi9/ubi
## mengubah user (keamanan)
RUN adduser \
--no-create-home \
--system \
--shell /usr/sbin/nologin \
python-server
USER python-server
CMD ["python3", "-m", "http.server"]
## pemetaan user
cat /etc/subuid /etc/subgid
# student:100000:65536
# student:100000:65536
sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 student
grep student /etc/subuid /etc/subgid
# /etc/subuid:student:100000:65536
# /etc/subgid:student:100000:65536
podman run -it registry.access.redhat.com/ubi9/ubi bash
podman top e6116477c5c9 huser user
# HUSER USER
# 1000 root
cat /proc/self/uid_map /proc/self/gid_map
## no rootles
sudo sysctl -w "net.ipv4.ip_unprivileged_port_start=79"
sudo sysctl -w "net.ipv4.ping_group_range=0 2000000"
lab 3
lab start custom-rootless
cd $HOME/DO188/labs/custom-rootless/gitea
podman build -t gitea .
sudo !! # previous command with sudo
sudo $HOME/DO188/labs/custom-rootless/ids.sh # menghapus mapping id pengguna
podman run --rm -p 3030:3030 gitea # error
sudo podman run --name root-gitea -p 3030:3030 --rm gitea # work
sudo podman exec root-gitea cat /proc/self/uid_map /proc/self/gid_map # root (not secure)
# 0 0 4294967295
# 0 0 4294967295
sudo podman stop root-gitea
sudo touch /etc/{subuid,subgid}
sudo usermod --add-subuids 100000-165536 --add-subgids 100000-165536 student
cat /etc/subuid /etc/subgid
podman run --rm -p 3030:3030 --name gitea gitea # error
podman system migrate # migrasi rentang id pengguna
podman run --name gitea --rm -p 3030:3030 gitea # work
podman stop gitea
sudo $HOME/DO188/labs/custom-rootless/ids.sh
lab finish custom-rootless
lab soal
lab start custom-lab
cd ~/DO188/labs/custom-lab
npm install; npm start
# add "RUN ./gen_certificates.sh" in first stage build
# dibagian bawah tambahnakn ENV, WORKDIR, USER, RUN, ENTRYPOINT
# add ENV
## ENV TLS_PORT=8443 \
## HTTP_PORT=8080
## CERTS_PATH="/etc/pki/tls/private/certs"
# add WORKDIR /app in Containerfile
# add USER student in Containerfile
# add "RUN npm install --omit=dev"
# add ENTRYPOINT npm start
podman build . -t localhost/podman-qr-app
podman run --name custom-lab -p 8080:8080 -p 8443:8443 localhost/podman-qr-app
5
##