Phase 11: Containers (Podman)

RHEL uses Podman, not Docker. Podman is daemonless, rootless by default, and on the RHCSA exam. Docker is NOT on the exam.

Verify Podman

podman --version

# Should already be installed from Workstation group
# If not:
sudo dnf install -y podman podman-compose

Rootless Containers

# Run as regular user (no sudo)
podman run --rm docker.io/library/alpine echo "Hello from rootless container"

# List running containers
podman ps

# List images
podman images

Persistent Container with Volume

# Create a volume on the data LV
mkdir -p /data/containers/nginx-data

# Run nginx with persistent storage
podman run -d \
  --name web \
  -p 8080:80 \
  -v /data/containers/nginx-data:/usr/share/nginx/html:Z \
  docker.io/library/nginx

The :Z suffix tells Podman to set the correct SELinux context on the bind mount. Without it, SELinux will deny nginx access.

# Verify
curl http://localhost:8080

Systemd Integration (RHCSA Objective)

Generate a systemd user unit file from a running container:

# Generate unit file
podman generate systemd --name web --files --new

# Install as user service
mkdir -p ~/.config/systemd/user
mv container-web.service ~/.config/systemd/user/

# Enable and start
systemctl --user daemon-reload
systemctl --user enable --now container-web.service

# Enable lingering (keeps user services running after logout)
loginctl enable-linger $(whoami)

# Verify
systemctl --user status container-web.service

Pod Management

# Create a pod (group of containers sharing network namespace)
podman pod create --name webapp -p 8081:80

# Add containers to pod
podman run -d --pod webapp --name webapp-nginx docker.io/library/nginx

# List pods
podman pod list

SELinux and Containers

# Check container SELinux labels
podman inspect web | grep -i selinux

# If bind mount denied by SELinux, use :Z (private) or :z (shared)
# :Z = relabel for this container only (svirt_sandbox_file_t)
# :z = shared label (multiple containers can access)

Check Status

Check	Status
Podman installed and working	[ ]
Rootless container runs without sudo	[ ]
Persistent volume with SELinux `:Z` label	[ ]
systemd user service generated from container	[ ]
Lingering enabled for user services	[ ]
Pod created and managed	[ ]

Podman installed and working

[ ]

Rootless container runs without sudo

[ ]

Persistent volume with SELinux :Z label

[ ]

systemd user service generated from container

[ ]

Lingering enabled for user services

[ ]

Pod created and managed

[ ]