2023-02-12
Still on Podman API. Podman don’t work like docker: the command line directly take care of the operations, whereas the in docker the command line “translate” the command in a API call to the Docker Engine through unix socket.
https://www.reddit.com/r/podman/comments/110j7i3/running_containers_from_go_program_rest_api_or_lib/
In order to spawn containers from the host, I can use either the lib of podman (written in go) or start the daemon REST API and use the bindings. Why would I use the later option, as it’s basically the same as docker? Because the daemon starts with the user’s privilege, so in rootless by default. But if my program is in a container, it can only use the REST API. And so, I need to mount the socket file as a volume.
Let’s say I’m using the second approach (simpler for admin). An blog post was written in 2020 about this: https://podman.io/blogs/2020/08/10/podman-go-bindings.html.
Also to read:
- https://blog.podman.io/2023/02/the-container-name-resolution-conundrum/
- https://www.redhat.com/sysadmin/controlling-access-rootless-podman-users
- https://www.redhat.com/sysadmin/behind-scenes-podman
https://wiki.archlinux.org/title/Podman says that podman require fuse-overlayfs to run in rootless.
Podman doesn’t have any registry by default, so podman pull httpd wouldn’t work. It’s the job of the admin to first pull my container, but the Manager should use a absolute path to pull and run containers.
from /etc/containers/registries.conf:
We recommend always using fully qualified image names including the registry server (full dns name), namespace, image name, and tag (e.g., registry.redhat.io/ubi8/ubi:latest) […] When using short names, there is always an inherent risk that the image being pulled could be spoofed.
When trying to pull the hello-world image, I discovered that docker’s container like https://hub.docker.com/_/hello-world have the full name docker.io/library/hello-world
I’ve been using the v2 lib of podman for a few hours before noticing latest is v4…