Book Image

Podman for DevOps

By : Alessandro Arrichiello, Gianni Salinetti
Book Image

Podman for DevOps

By: Alessandro Arrichiello, Gianni Salinetti

Overview of this book

As containers have become the new de facto standard for packaging applications and their dependencies, understanding how to implement, build, and manage them is now an essential skill for developers, system administrators, and SRE/operations teams. Podman and its companion tools Buildah and Skopeo make a great toolset to boost the development, execution, and management of containerized applications. Starting with the basic concepts of containerization and its underlying technology, this book will help you get your first container up and running with Podman. You'll explore the complete toolkit and go over the development of new containers, their lifecycle management, troubleshooting, and security aspects. Together with Podman, the book illustrates Buildah and Skopeo to complete the tools ecosystem and cover the complete workflow for building, releasing, and managing optimized container images. Podman for DevOps provides a comprehensive view of the full-stack container technology and its relationship with the operating system foundations, along with crucial topics such as networking, monitoring, and integration with systemd, docker-compose, and Kubernetes. By the end of this DevOps book, you'll have developed the skills needed to build and package your applications inside containers as well as to deploy, manage, and integrate them with system services.
Table of Contents (19 chapters)
1
Section 1: From Theory to Practice: Running Containers with Podman
7
Section 2: Building Containers from Scratch with Buildah
12
Section 3: Managing and Integrating Containers Securely

SELinux interaction with containers

In this section, we will discuss SELinux policies and introduce Udica, a tool that's used to generate SELinux profiles for containers.

SELinux works directly in kernel space and manages object isolation while following a least-privilege model that contains a series of policies that can handle enforcing or exceptions. To define these objects, SELinux uses labels that define types. By default, SELinux works in Enforcing mode, denying access to resources with a series of exceptions defined by policies. To disable Enforcing mode, SELinux can be put in Permissive mode, where violations are only audited, without them being blocked.

Security Alert

As we mentioned previously, switching SELinux to Permissive mode or completely disabling it is not a good practice as it opens you up to potential security threats. Instead of doing that, users should create custom policies to manage the necessary exceptions.

By default, SELinux uses a targeted...