Podman - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-08-29
Last date published
2024-12-26
Category
User Guide
Solution
Cloud
Abstract

Run Podman containers instead of Docker for RHEL v8.

Podman is a daemonless container engine for developing, managing, and running OCI Containers on the Linux System. Containers can either be run as root or in rootless mode.

If you use the Shell installer to install an engine, Cortex Xpanse automatically detects the container management type based on the operating system. For example, if your operating system is running RHEL v8 and higher, Cortex Xpanse installs Podman packages and configures the operating system to enable Podman in rootless mode.

Note

When upgrading an engine, the engine keeps the previously used container management type (regardless of distribution version).

By default, Podman uses the $HOME/.local/share/containers/storage directory. To use a different directory for container storage, edit the Podman config file located at /home/demisto/.config/containers/storage.conf. If the file does not exist, create it and change the ownership:

  • cp /etc/containers/storage.conf /home/demisto/.config/containers

  • chown demisto:demisto /home/demisto/.config/containers/storage.conf

To set a different directory for container storage, change the key: rootless_storage_path in the storage.conf file. For example, rootless_storage_path=/var/lib/containers/$USER/storage

The new storage directory needs to be owned by the demisto user, otherwise they will be denied access to it. To assign the demisto user ownership of the new storage directory, on the Linux command line, run chown -R demisto:demisto <NEW-LOCATION>.

Do not use NAS storage for the $HOME directory. The directory needs to be a local directory for Podman to work.

Tip

We recommend reserving 150 GB for container storage, either in the /home partition or a different storage directory that you have set using the rootless_storage_path key.

If using PowerShell integrations, you may need to configure the default SELinux policy as Podman can affect processes which mmap to /dev/zero.

Docker Hardening Guidelines

Docker hardening guidelines can be applied to Podman, with the exception of Limit Available Memory, Limit Available CPU, and Limit PIDS.

Install Podman
Abstract

Install Podman on engines for RHEL v8 or later.

This procedure for engines running on RHEL 8 or later. It may not work for other OS types.

Note

Do not use NAS storage for the $HOME directory. The directory needs to be a local directory for Podman to work.

  1. Install Podman with related packages by typing the following commands:

    • sudo yum -y install slirp4netns fuse-overlayfs

    • sudo yum -y module install container-tools

  2. Run the following commands:

    • sudo touch /etc/subuid /etc/subgid

    • sudo mkdir -p /home/demisto

    • sudo chown demisto:demisto /home/demisto

  3. Configure the unqualified-search-registries used by Podman.

    Podman by default uses the fedoraproject.org, redhat.com, centos.org, and docker.io unqualified search registries. Since Cortex Xpanse images use only the docker.io registry, you can speed up download times for container images by setting unqualified-search-registries to just docker.io.

    1. Create or edit the /home/demisto/.config/containers/registries.conf config file.

    2. In the file, set unqualified-search-registries = ["docker.io"].

      Note

      If you edit the file with the root user, make sure to set the demisto user as file owner by running chown demisto:demisto /home/demisto/.config/containers/registries.conf

  4. Change the subuids and subgids by running the following command:

    sudo usermod --add-subuids 200000-265535 --add-subgids 200000-265535 demisto

  5. Set the net.ipv4.ping-group-range, by typing the following commands:

    • sudo sh -c "echo 'net.ipv4.ping_group_range=0 2000000' > /etc/sysctl.d/demisto-ping.conf"

    • sudo sysctl -w "net.ipv4.ping_group_range=0 2000000"

  6. As root user, edit the following config file:

    /usr/local/demisto/d1.conf

  7. Change the "container.engine.type": "docker"to “podman”.

    If this line does not exist, add the following line to the file:

    "container.engine.type": "podman"

    "Server": {
                    "HttpsPort": "443",
                    "ProxyMode": true
            },
            "container": {
                                    "engine": {
                                            "type": "podman"
                                    }
            },
            "db": {
                    "index": {
                            "entry": {
                                    "disable": true
Troubleshoot Podman Installation
Abstract

Troubleshoot Podman installation issues, including Keyring Quota Exceeded error and unused containers taking up resources.

Migrate From Docker to Podman
Abstract

Switch from Docker to Podman when installing an engine for RHEL 8 or later.

Although Podman is set up automatically in an engine installation, it is possible to migrate from Docker to Podman in an existing engine.

Note

  • This procedure is intended for RHEL 8 or later. It may not work for other operating system types.

  • Do not use NAS storage for the $HOME directory. The directory needs to be a local directory for Podman to work.

  1. Install Podman with related packages by typing the following commands:

    • sudo yum -y install slirp4netns fuse-overlayfs

    • sudo yum -y module install container-tools

  2. Run the following commands:

    • sudo touch /etc/subuid /etc/subgid

    • sudo mkdir -p /home/demisto

    • sudo chown demisto:demisto /home/demisto

  3. Configure the unqualified-search-registries used by Podman.

    Podman by default uses the fedoraproject.org, redhat.com, centos.org, and docker.io unqualified search registries. Since Cortex XSOAR images use only the docker.io registry, you can speed up download times for container images by setting unqualified-search-registries to just docker.io.

    1. Create or edit the /home/demisto/.config/containers/registries.conf file.

    2. In the file, set unqualified-search-registries = ["docker.io"].

    Note

    If you edit the file with the root user, make sure to set the demisto user as file owner by running chown demisto:demisto /home/demisto/.config/containers/registries.conf.

  4. Change the subuids and subgids:

    sudo usermod --add-subuids 200000-265535 --add-subgids 200000-265535 demisto

  5. Migrate existing containers to Podman:

    sudo sh -c "podman system migrate"

  6. Set the net.ipv4.ping-group-range, by typing the following commands:

    • sudo sh -c "echo 'net.ipv4.ping_group_range=0 2000000' > /etc/sysctl.d/demisto-ping.conf"

    • sudo sysctl -w "net.ipv4.ping_group_range=0 2000000"

  7. As root user, edit the /usr/local/demisto/d1.conf file

  8. Change the "container.engine.type": "docker" to "podman".

    If this line does not exist, add the following line to the file:

    "container.engine.type": "podman"

     "Server": {
                    "HttpsPort": "443",
                    "ProxyMode": true
            },
            "container": {
                                    "engine": {
                                            "type": "podman"
                                    }
            },
            "db": {
                    "index": {
                            "entry": {
                                    "disable": true
  9. Restart the service:

    sudo systemctl restart d1