Podman, a containerization tool akin to Docker, empowers users to build, deploy, and manage lightweight, secure containers.
Offering an alternative to Docker, Podman excels in security, leveraging its rootless and daemonless architecture. This guide explores how to harness Podman’s capabilities to construct robust and secure container environments.
What is Podman ?
Podman is an open-source container management tool that enables users to create, manage, and run containers.
It provides a secure and flexible environment for deploying applications and services, offering features like container isolation, image management, and compatibility with Docker.
Podman enhances security by operating without a central daemon, reducing the attack surface. It utilizes user namespaces and SELinux to enforce container isolation, preventing unauthorized access to host resources.
With rootless containers, Podman minimizes the risk of privilege escalation attacks, making it a more secure choice for container management.
Objectives
- Establish container isolation for rigorous testing of newly discovered malware.
- Ensure container isolation to evaluate the effectiveness of cybersecurity tools.
- Attain the highest level of container security through robust measures.
- Optimize container performance for rapid and dependable experimentation.
Installing Requirements (MacOS)
Before starting with the requirements in this article, I would like to note that I am using MacOS. However, obtaining the necessary tools for other operating systems is straightforward.
While the focus of this article will be on MacOS, alternative methods for Linux and Windows will also be provided (If you require additional information about installation on Linux and Windows, please refer to the official documentation link provided.)
On MacOS, Podman utilizes a virtual machine for each instance. After installation, you can execute the podman command directly from the Unix shell within Terminal. This command communicates remotely with the Podman service operational in the Machine VM.
Podman is available for download from the official Podman website (Install CLI version). While Brew offers a convenient package management solution, it’s worth noting that Brew installs of Podman are community-maintained and may lack stability. Therefore, we recommend installing Podman directly from the official source.
If you choose to proceed with Brew, ensure you have Homebrew installed. Once Homebrew is set up, you can install Podman using the following command:
brew install podmanYou can then verify the installation information using:
podman infoInstalling Requirements (Windows)
On Windows, each Podman instance is supported by a virtualized Windows Subsystem for Linux (WSLv2) distribution. Following installation, you can execute the podman command directly from your Windows PowerShell or Command Prompt.
This command remotely interacts with the Podman service operational within the WSL environment. Alternatively, you may opt for direct access to Podman within the WSL instance, providing a Linux prompt and Linux toolset.
See the Podman for Windows guide for setup and usage instructions.
Installing Requirements (Linux)
For Linux installation instructions, please refer to the following link: Linux Installation Guide. This link provide installation guides tailored to different Linux distributions.
Starting a New Linux Virtual Machine
To use Podman on macOS, you’ll need to set up a Linux virtual machine. Let’s create one and start the VM.
podman machine initYou can utilize this command to create a new Linux virtual machine, with the default operating system being Fedora CoreOS, while leveraging visualization within AppleHV.
To list all virtual machines:
podman machine lsTo start virtual machine:
podman machine startStop virtual machine:
podman machine stopGet info about virtual machine:
podman machine infoSearching, Pulling, and Listing Container Images
In this section, we’ll delve into the process of searching for, pulling, and listing container images. First let’s search a new image:
podman search pythonPulling an image:
podman pull docker.io/library/pythonList images:
podman imagesTo remove image:
podman rmi <image>Running a Container
Run a Python container with no network, and all Linux capabilities dropped for enhanced security:
podman run --network=none --cap-drop=all python To use default network settings:
podman run --cap-drop=all python Podman’s default network feature facilitates communication between containers running on the same host. It establishes a bridge network, isolating container traffic for security and efficiency.
This default network enables seamless interaction among containers while ensuring they remain segregated from external networks, enhancing overall container management and security.
To create custom networks and learn more about networking in Podman, refer to the following article. This official article provides detailed insights into configuring networks tailored to your specific requirements.
Start new Python shell in container:
podman run -it pythonRun a Python file:
podman run python python script.pyYou can “inspect” a running container to gather metadata and details about itself. Using podman inspect provides valuable information such as environment variables, network settings, or resource allocations.
podman inspect -l | grep IPAddressIn rootless mode, containers typically don’t have an assigned IP address.
Starting and Stopping Containers
After exiting a container, you can start and stop it again using Podman commands like podman start and podman stop. Additionally, you can interact with a running container using podman exec.
# Start a stopped container
podman start <container-id>
# Stop a running container
podman stop <container-id>
# Execute a command in a running container
podman exec <container-id> <command>Replace <container-id> with the actual ID or name of your container, and <command> with the command you want to execute within the container.
Starting a Rootless Container
A rootless container operates without requiring root privileges, enhancing security and flexibility. Utilizing user namespaces, it isolates container processes from the host system, allowing users to run containers without administrative access.
This approach facilitates safer container deployment and is particularly beneficial in multi-tenant or shared environments.
podman run --network slirp4netns --user 1000:1000 --rm <image>The command runs a Podman container with user ID 1000, using the Slirp4netns network mode for network connectivity.
Slirp4netns provides network connectivity for unprivileged containers, enhancing security and enabling non-root users to run containers safely.
Using the --rm flag removes the container automatically after it exits, regardless of its exit status or the user settings.
Listing and Removing Containers
podman ps -a This command lists all containers, including stopped ones, providing an overview of container statuses and IDs.
podman rm <container-id>Using ‘podman rm‘ removes a specific container, freeing up resources and deleting its configuration.
Custom MAC Addresses for Containers
Below is the command to create a Podman container named “container_name” with a custom MAC address assigned from the specified image:
podman create --name container_name --mac-address=02:42:ac:11:00:02 <image>Hide Your Host Public IP with a VPN Service
Utilize a VPN service to conceal your host machine’s public IP address from your Podman VM. By connecting to a VPN, your traffic is routed through encrypted tunnels, masking your true IP.
This approach ensures privacy and security for your host while maintaining seamless communication with your Podman environment.
