Enterprise 8 package management Flashcards
What’s the difference between binary and source packages?
Binary are install ready. They have .rpm extension and contain install scripts. This has everything you need to install something.
Source come with original unmodified version of software that may be unpackaged, modified as desired, and repackaged in binary format. End with .src
Name the different fields:
openssl-1.1.1-8.el8.x86_64
openssl : name
1.1.1 : version
8 : release
el8 : Enterprise Linux 8 (not all packages have this)
x86-64 : processor
Where is package metadata stored? This will include dependencies
/var/lib/rpm
What command would you use if your trying to pull a package from a repo and it’s giving you meta data back. Also, if you turn off the gpg check it works.
Rename an image that only has an image id
Import all GPG keys to keyring
rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY*
Show GPG keys on keyring
rpm -qa gpg-pubkey*
Shows info on a certain gpg key
gpg-pubkey-db42a60e-37ea5438
podman image tag 12tg9824ht2t new_name
If you wanted to make changes to all repos, what file would you modify?
/etc/yum.conf
We’re making a repo that links to a server that requires authentication, how would you do this?
baseurl=http://user:password@www.example.com/repo/
baseurl=joshc:password@www.example.com/repo/
What is a container
What is an image?
Process has it’s own namespace and is separate from other processes. The container is sandboxed.
Image - binary, code. Empty file system which is a parent of bare bones of an OS which is a parent of sshd which is a parent of an application. Like multiple snapshots.
Copy a container image from one registry to another
Registry - repo or collection of repos.
First part is from, last part is to:
skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
Diff between container and vm
VM is the whole os
Container is the library and the app.
These are ran in an isolated environment created by Kernel namespaces
Difference between podman and docker
podman is daemonless and open source.
Podman containers can be ran by root or by a non-privileged user
What are linux namespaces?
Partition of kernel resources
execute a command on a machine via podman
podman exec test2 ifconfig eth0
What is IPC?
Interprocess communication (IPC) comm channel between two aps
What is UTS?
Unix time-sharing namespace
allows single system to appear to have diff host and domain names to a diff process.
Create a container with the name test 3 and a hostname of test3.example.com out of docker.io/alpine
podman run -it –name test –hostname=test3.example.com docker.io/alpine sh
uname -a (to double check)
If you log into your container and run the ps -ef command, you’ll see the shell is ran as root/1. Make this run as user 12345 instead, will this show up this way on your regular machine?
podman run -it –name=test4 –user 12345 docker.io/alpine sh
yes
ps -ef | grep 12345
Normally your container has access to all resources your host does.
Show it’s resources.
Create a container that can only use 50 Megs of mem and make it run in the background
CGropu limits app to set of resources so control groups allow us to share avail hardware to containers
podman stats test1
podman run -it –name=test6 –memory=50M -d alpine sh
What is UnionFS?
Union file system
file system that operate by creating layers
What is a registry?
Where can you see what registries podman will automatically search?
Stores images
podman info
grep *registries /etc/containers/registries.conf
Sometimes you will see the below errors:
Error relocating /lib/ld-mus1-x86_64.so.1: RELRO protection failed: permission denied
Error relocating /bin/echo: RELRO protection failed: Permission denied
What should you do?
sudo restorcon -R ~/.local/share/containers/storage/overlay*
search podman for ubuntu, only show the top 3 results
podman search ubuntu –limit 3
shutdown a container gracefully and then force
podman stop test1
podman kill test1 (this won’t be clean)
Look at an images network config
of httpd specifically the port
Make that port correspond to a port on your host
Confirm
Copy index.html from httd to your machine, make changes, and send back
podman inspect image_one
“config”:
podman run -d -p 8080:80 docker.io/library/httpd:latest
curl http://localhost;8080
podman exec -it container_name bash
ctrl ^pq
podman cp help
podman cp container_name:/usr/local/apache2/htdocs/index.html index.html
vi index.html
podman cp index.html container_name:/usr/local/apache2/htdocs/index.html
What’s the difference between podman run -p
and
podman run -P
podman run -p - publish container port or range of ports to host
podman run -P publich all exposed ports to random ports on the host interface
Rootless vs Rootfull containers
Rootless containers cannot create network interfaces on host, so the default net mode is slirp4netns. This lack features like it can’t give a container a routable IP.
Rootfull containers use netavark which allows container to have routable IP.
Create a sql database that an apache server uses
apache you will need:
docker.io/swapnillinux/apache-php
podman pull mysql-57
podman inspect mysql-57
podman run mysql-57
podman run –name=friends-db -p 3306:3306 -e MYSQL_USER=user1
-e MYSQL_PASSWORD=pass1234 -e MYSQL_DATABASE=friends -e MYSQL_ROOT_PASSWORD=rootpass -d mysql-57
(-e create environment variable)
podman inspect friends-db
(get the ip address)
podman pull docker.io/swapnillinux/apache-php
podman inspect apache-php (check ports)
podman run –name=friends-app -p 8080:80 - e -e MYSQL_USER=user1
-e MYSQL_PASSWORD=pass1234 -e MYSQL_DATABASE=friends -e MYSQL_ROOT_PASSWORD=rootpass -e DBHOST=mysql –add-host=mysql:10.88.0.3 -d apache-php
(DBHOST adds an ip to your /etc/host file)
(we’ll pull the application)
yum install git -y
git clone https://github.com/swapnil-linux/php-app
cd php-app
vi index.php
podman cp index.php friends-app:/var/www/html/index.php
podman ps
curl http://localhost:8080/index.php
podman exec -it friends-db bash
mysql -u user1 -ppass1234 friends
Insert whatever
quit
curl http://localhost:8080/index.php
cur http:/10.88.0.4 (if you’re looking via ip you don’t need to specify the port)
Show sizes of containers
Jump into a container and add a file
then delete a directory
Now show all changes to the container
Show all the tags/versions for alpine
Download a different version of alpine than latest
podman ps -s
podman exec -it container_name bash
podman diff test_1
C- Change
D - Delete
A - Add
podman search docker.io/library/alpine –list-tags | more
podman pull docker.io/library/alpine:20221110
Show how registries are searched
grep search /etc/containers/registries.conf
Show how much storage your images and containers are taking up
Delete
all stopped containers
all nets not used by containers
all dangling images (images without a name or tag)
all dangling build cache
Then remove everything
podman system df
podman system prune
podman system prune –all
Commit your changes to your container by making it into an image
Show images history
podman run –name=alpinebash -it docker.io/alpine sh
add some files, do whatever
exit
podman commit alpinebash swanil/alpinebash
podman history localhost/swapnil/alpinebash (shows what we did)
podman rm alpinebash
podman run -it –name=newalpine swapnil/alpinebash bash (if you downloaded bash)
Create a centos image from a dockerfile and add some commands
Add a description that will go in the metadata
Look at the metadata
This is my first Dockerfile
mkdir myhttpd
cd myhttpd
vi Dockerfile
FROM docker.io/centos:8
RUN yum update -y
RUN yum clean all -y
RUN yum install httpd php -y
RUN yum clean all -y
LABEL Description this is Apache
(you can also separate commands by && or semicolon, semicolon = will skip and continue if something doesn’t work)
podman build . -t myhttpd
podman images
podman history myhttpd
podman inspect myhttp (look for labels to find that metadata)
Create a temp container out of myhttpd that will erase itself to see if you’re running the right command to start httpd in the foreground
Run that command in your dockerfile for myhttpd but make it the FIRST command
Now change that to be a kernel exec function rather than shell (this runs faster)
podman run -it –rm (two hyphens!) myhttpd bash
ls /sbin/httpd -DFOREGROUND
^C
vi Dockerfile
FROM docker.io/centos:8
RUN yum update && yum install httpd php -y && yum clean all -y
LABEL author me
LABEL description: cool container
CMD /sbin/httpd -DFOREGROUND
podman build -t myhttpd
you can find this by
podman inspect myhttp
(look for cmd)
CMD [“/sbin/httpd”,”-DFOREGORUND”]
Create an index page for myhttpd and copy it over to the container via dockerfile
Then create multiple files that are archived
vi index.html
<h1>Wlecome to Podman</h2>
(put in same dir as docker file)
vi Dockerfile
From docker.io/centos:8
RUN yum update && yum install httpd php -y && yum clean all -y
LABEL author Me
COPY index.html /var/www/html/index.html
CMD ["/sbin/httpd","-DFOREGROUND"]
podman build . -t myhttpd
vi test.html
vi abc.html
tar czvf scs.tar.gz *.html
vi Dockerfile
COPY src.tar.gz /tmp
RUN tar xzvf /var/www/html/ (to untar)
OR
ADD src.tar.gz /var/www/html/ (this will untar automatically and if you have a file on a url)
podman build -t myhttpd .
curl http://localhost:8080/abc.html
</h1>
We will need to let everyone know what ports are exposed on our myhttpd
When you run your image, tell it to map the exposed port to a random port on your host so you don’t have to type out the extra info
vi Dockerfile
EXPOSE 80
EXPOSE 443
podman run -P -d myhttpd
podman port -l
curl http://localhost:34603
In your dockerfile, create a read/write layer - this saves over some changes making the container persistent
Add to the docker file at the end that you’d like to change the directory to /var/www/html/
vi Dockerfile
FROM docker.io/centos:8
RUN yum update && yum install httpd php -y && yum clean all -y
LABEL author ME
ADD scs.tar.gz /var/ww/html
EXPOSE 80 443
VOLUME /data
WORKDIR /var/www/html
CMD [“/sbin/tar.gz”,”-DFOREGROUND”]
Add some Environment variables to your Dockerfile
vi Dockerfile
FROM docker.io/centos:8
RUN yum update && yum install httpd php -y && yum clean all -y
LABEL author ME
ADD scs.tar.gz /var/ww/html
EXPOSE 80 443
VOLUME /data
WORKDIR /var/www/html
ENV APIKEY abcd12345
CMD [“/sbin/tar.gz”,”-DFOREGROUND”]
podman inspect myhttpd
Create a Centos Dockerfile named Dockerfile.app2 and build a container out of it called myapp version 1
create opt/src and go into that dir
unzip and untar src.tar.gz in that dir
have it run the command python -m SimpleHTTPServer 80
Make sure port 80 can be used for this
This will be running on your host as root user with a diff PID, not safe, what can you do to change that?
FROM docker.io/centos:7
WORKDIR /opt/src
ADD src.tar.gz /opt/src/
EXPOSE 80
CMD python -m SimpleHTTPServer 80
RUN chown -R 1500 /opt/src
podman build -f Dockerfile.app2 -t myapp:v1 .
USER 1500
podman run -d -P myapp:v1
curl http://localhost:32873/test.html
podman top container_name
ps -ef | grep SimpleHTTPServer
(see what ports being used)
podman port -l
Create a dockerfile that uses alpine to ping the localhost 3 times and call it test
Run this as a temporary container and add the ping -c5 google.com command to the end of it (this will overwrite your Dockerfile command.
Replace this with a Dockerfile command that prevents another command from being ran
Now make it to where the ping -c3 command is static and the hostname is editable
Since you’ve used build several times with the same tagged name you have some “dangling images” delete them.
mkdir myping
cp myping
vi Dockerfile
FROM docker.io/alpine:latest
CMD [“ping”,”-c3”,”localhost”]
podman build -t test .
podman run –rm test ping -c5 www.google.com
vi Dockerfile
FROM docker.io/alpine:latest
ENTRYPOINT [“ping”,”-c3”,”localhost”]
podman build -t test .
podman run –rm test ping -c5 www.google.com
vi Dockerfile
FROM docker.io/alpine:latest
ENTRYPOINT [“ping”,”-c3”]
CMD [“hostfile”]
podman build -t test .
podman system prune
podman run –rm test www.google.com
What option do you use on your build that doesn’t use existing cached images for the container build
–no-cache
Do not use existing cached images for the container build. Build from the start with a new set of cached layers.
This means it is freshly running the build and not using the previous image to start off with
Section 6 part 15… will revisit later.
Multi stage build the first part will show you how to make a Dockerfile that uses an app. Show how you would save space by making one part of the file a build and the next the image itself
mkdir mygoapp
cd mygoapp
vi app.go
package main
import fat
func main() {
fmt.println(“helllo world”)
}
vi Dockerfile
FROM golang:1.7.3
COPY app.go .
RUN go build -o app app.go
CMD [”./app”]
podman build -t mygoapp:v1 .
podman run mygoapp:v1
podman images (look at the sizes)
podman history
vi Dockerfile
FROM golang:1.7.3 AS build
COPY app.go
RUN go build -o app app.go .
CMD [”./app*”]
podman build -t mygoapp:v2
Run container on outside as danny, then inside
useradd danny
passwd danny
su -l danny (NEED TO USE -l OPTION OR YOU WILL GET AN ERROR)
podman run -it –name=this ubuntu
podman run -it –name=this ubuntu
useradd danny
^pq
podman commit this ub1
podman run -it –name=danny ub1
You’ve create an image called myhttpd, how would you send this to quay.io named flash
podman tag myhttpd quay.io/joshcahoe/flash:latest
podman login quay.io
login name and pass
podman push quay.io/joshcahoe/flash:latest
Might need to try twice if you receive an error.
Share an image without sending it to a registry
podman save myhttpd -o /tmp/myapps/myhttpd.tar
exit
login as other user
podman load -i /tmp/myapps/myhttpd.tar
Containers have their own ips, hostname and network, containers can’t communicate with host unless rootful and at that point they can only communicate with same network
Define different types of networking
Bridge network - virtual bridge connected to host. Like a switch between the two.
Overlay Network - Virtual network that spans multiple hosts
MACVLAN Network - Container connected to the host via its own MAC address. Looks like a separate device.
Show network drivers
show active network drivers
show a container’s network information
Create your own bridged network (these are like swiches on different networks)
You have a container that’s on the podman1 network you created, allow that container to now access and communicate with the “podman” network
Create a container from alpine and put it on the host network
sudo podman info | grep -A3 network
sudo podman network ls
podman run -it alpine sh
ifconfig (show net info)
if we create another alpine it will be on the same network and can communicate with alpine
podman network create –help
podman network create podman1
podman network ls
podman run –net=podman1 -it alpine sh
ifconfig
podman network connect podman container_name
podman inspect container_name | grep IPA
podman exec -it container_name sh
ifconfig (it will have two NICs)
podman run –net=host -it alpine sh
create a network with MACVLAN driver running off of your eth0 NIC and name it mynet give it a subnet and gateway that you’re using
podman network create –driver macvlan –subnet=172.31.10.0/16 –gateway=172.31.0.1 -o parent=eth0 mynet
podman network ls
podman network inspect mynet
podman run -it –net=mynet alpine sh
ifconfig eth0
Does a rootless container create a bridged network?
Show network information using grep to see what the default type network is.
Look at the info on the “podman” network, compare it to the ip of a rootless container you make to see their ips are on a diff network
Create a rootless container and put it on the bridged network, this won’t allow you to communicate with it, just put you on the network. And if you use that same command on another container it can communicate with it :)
No, this will give it a diff ip on a diff network called something different like tap0
podman info | grep -A3 -i network
podman network inspect podman
Remember your rootless container won’t be able to communicate with your host or other containers. We can see this by:
podman inspect container_image
this will show no ip
podman run -it -d –name=web –network=podman container_image
podman inspect container_image | grep IPA
Create a volume
Look at it’s info
run an image using the volume you created under /opt/data in the container.
Look at the container’s mounted objects and create a file in /opt/data
exit and remove the container
open a new container and mount the volume, see what happens
Remove the container along with it’s associated volume
podman volume –help
podman volume create mydata
podman volume inspect mydata
podman run -it -v mydata:/opt/data alpine sh
podman exec -it containeri_name bash
df -h
cd /opt/data
echo “hello” > test.txt
exit
podman volume inspect mydata (go to mountpoint)
cd /home/swapnil/.local/share/containers/storage/volumes/mydata/
cd _data
cat test.txt
podman rm container_name
podman run –name=test -it -v mydata:/opt/data alpine sh
cat /opt/data/test.txt
podman rm -v test2
What is a pod?
group of containers sharing namespaces and shred filesystem volumes
Have same network and pod ip.
Pods contain an infra container which just sleeps and holds the namespace. This allows podman to connect other containers to the pod.
So you can start and stop containers in the pod but the pod keeps running.
Create a pod
show the paused pod
show all running pods
show the infra container
add a container to the pod
show everything that’s in that pod
Confirm that they’re sharing the same network namespace
Run a podman ps command that will let you compare network namespaces
Kill the pod
podman pod –help
podman pod create –name=mypod
podman images (this will show “/pause” that’s the sleeping we talked about)
podman pod ps
podman ps -a –pod
podman run -d –pod mypod quay.io/alpine_nginx
podman ps -a –pod
podman run -itd –pod mypod docker.io/alpine sh
podman pod ps
podman ps
podman exec -it container_name
ps -ef
ifconfig
podman inspect container_name | grep IPA (namespace doesn’t exist)
podman inspect infra | grep IPA
(this will show the ip from the container)
podman ps –ns
(look at “NET” to check the network namespace)
podman pod kill mypod
podman system prune –all -f –volumes
Deploy a wordpress application
create pod wp with portforwarding, port 80 goes to host 38080
Run a sql database where it will restart the container if app gets killed
MYSQL_ROOT_PASSWORD=”myrootpass”
MYSQL_DATABASE=”wp”
MYSQL_USER=”wordpress”
MYSQL_PASSWORD=”w0rdpr3ss”
name=wptest-db docker.io/mariadb
Show everything in pod
Run your application pod
Use all the same environment variables but also add
WORDPRESS_DB_HOST=”127.0.0.1”
podman pod create –name=wp -p 38080:80
podman run -d –restart=always –pod=wp -e MYSQL_ROOT_PASSWORD=”myrootpass” -e MYSQL_DATABASE=”wp” -e MYSQL_USER=”wordpress” -e MYSQL_PASSWORD=”w0rdpr3ss” –name=wptest-db docker.io/mariadb
podman run -d –restart=always –pod=wp -e MYSQL_ROOT_PASSWORD=”myrootpass” -e MYSQL_DATABASE=”wp” -e MYSQL_USER=”wordpress” -e MYSQL_PASSWORD=”w0rdpr3ss -e WORDPRESS_DB_HOST=”127.0.0.1” –name=wptest-db docker.io/wordpress
podman pod ps -a –pod
podman pod ps
podman ps
Go to servera.cloud.mask365.com:38080
What is a quick way of creating a podman backup? This will create what you had but more quickly.
Create kubernetes file
Then run it
This will make it easy for someone that doesn’t know how to configure all this so they can simply use your container.
podman generate kube wp > wp.yml
(wp being the container name from earlier)
podman play kube wp.yml
podman pod ps
podman ps
podman ps -a
