Run Podman containers instead of Docker for RHEL v8.
Podman is a daemonless container engine for developing, managing, and running OCI Containers on the Linux System. Containers can either be run as root or in rootless mode.
If you use the Shell installer to install an engine, Cortex Xpanse automatically detects the container management type based on the operating system. For example, if your operating system is running RHEL v8 and higher, Cortex Xpanse installs Podman packages and configures the operating system to enable Podman in rootless mode.
Note
When upgrading an engine, the engine keeps the previously used container management type (regardless of distribution version).
By default, Podman uses the $HOME/.local/share/containers/storage
directory. To use a different directory for container storage, edit the Podman config file located at /home/demisto/.config/containers/storage.conf
. If the file does not exist, create it and change the ownership:
cp /etc/containers/storage.conf /home/demisto/.config/containers
chown demisto:demisto /home/demisto/.config/containers/storage.conf
To set a different directory for container storage, change the key: rootless_storage_path
in the storage.conf
file. For example, rootless_storage_path=/var/lib/containers/$USER/storage
The new storage directory needs to be owned by the demisto user, otherwise they will be denied access to it. To assign the demisto user ownership of the new storage directory, on the Linux command line, run chown -R demisto:demisto <NEW-LOCATION>
.
Do not use NAS storage for the $HOME directory. The directory needs to be a local directory for Podman to work.
Tip
We recommend reserving 150 GB for container storage, either in the /home partition or a different storage directory that you have set using the rootless_storage_path
key.
If using PowerShell integrations, you may need to configure the default SELinux policy as Podman can affect processes which mmap
to /dev/zero
.
Docker Hardening Guidelines
Docker hardening guidelines can be applied to Podman, with the exception of Limit Available Memory, Limit Available CPU, and Limit PIDS.
Install Podman
Install Podman on engines for RHEL v8 or later.
This procedure for engines running on RHEL 8 or later. It may not work for other OS types.
Note
Do not use NAS storage for the $HOME directory. The directory needs to be a local directory for Podman to work.
Install Podman with related packages by typing the following commands:
sudo yum -y install slirp4netns fuse-overlayfs
sudo yum -y module install container-tools
Run the following commands:
sudo touch /etc/subuid /etc/subgid
sudo mkdir -p /home/demisto
sudo chown demisto:demisto /home/demisto
Configure the
unqualified-search-registries
used by Podman.Podman by default uses the fedoraproject.org, redhat.com, centos.org, and docker.io unqualified search registries. Since Cortex Xpanse images use only the docker.io registry, you can speed up download times for container images by setting
unqualified-search-registries
to just docker.io.Create or edit the
/home/demisto/.config/containers/registries.conf
config file.In the file, set
unqualified-search-registries = ["docker.io"]
.Note
If you edit the file with the
root
user, make sure to set thedemisto
user as file owner by runningchown demisto:demisto /home/demisto/.config/containers/registries.conf
Change the
subuids
andsubgids
by running the following command:sudo usermod --add-subuids 200000-265535 --add-subgids 200000-265535 demisto
Set the
net.ipv4.ping-group-range
, by typing the following commands:sudo sh -c "echo 'net.ipv4.ping_group_range=0 2000000' > /etc/sysctl.d/demisto-ping.conf"
sudo sysctl -w "net.ipv4.ping_group_range=0 2000000"
As root user, edit the following
config
file:/usr/local/demisto/d1.conf
Change the
"container.engine.type": "docker"
to“podman
”.If this line does not exist, add the following line to the file:
"container.engine.type": "podman"
"Server": { "HttpsPort": "443", "ProxyMode": true }, "container": { "engine": { "type": "podman" } }, "db": { "index": { "entry": { "disable": true
Troubleshoot Podman Installation
Troubleshoot Podman installation issues, including Keyring Quota Exceeded error and unused containers taking up resources.
Migrate From Docker to Podman
Switch from Docker to Podman when installing an engine for RHEL 8 or later.
Although Podman is set up automatically in an engine installation, it is possible to migrate from Docker to Podman in an existing engine.
Note
This procedure is intended for RHEL 8 or later. It may not work for other operating system types.
Do not use NAS storage for the $HOME directory. The directory needs to be a local directory for Podman to work.
Install Podman with related packages by typing the following commands:
sudo yum -y install slirp4netns fuse-overlayfs
sudo yum -y module install container-tools
Run the following commands:
sudo touch /etc/subuid /etc/subgid
sudo mkdir -p /home/demisto
sudo chown demisto:demisto /home/demisto
Configure the
unqualified-search-registries
used by Podman.Podman by default uses the fedoraproject.org, redhat.com, centos.org, and docker.io unqualified search registries. Since Cortex XSOAR images use only the
docker.io
registry, you can speed up download times for container images by settingunqualified-search-registries
to justdocker.io
.Create or edit the
/home/demisto/.config/containers/registries.conf
file.In the file, set
unqualified-search-registries = ["docker.io"]
.
Note
If you edit the file with the
root
user, make sure to set thedemisto
user as file owner by runningchown demisto:demisto /home/demisto/.config/containers/registries.conf
.Change the
subuids
andsubgids
:sudo usermod --add-subuids 200000-265535 --add-subgids 200000-265535 demisto
Migrate existing containers to Podman:
sudo sh -c "podman system migrate"
Set the
net.ipv4.ping-group-range
, by typing the following commands:sudo sh -c "echo 'net.ipv4.ping_group_range=0 2000000' > /etc/sysctl.d/demisto-ping.conf"
sudo sysctl -w "net.ipv4.ping_group_range=0 2000000"
As root user, edit the
/usr/local/demisto/d1.conf
fileChange the
"container.engine.type": "docker"
to"podman"
.If this line does not exist, add the following line to the file:
"container.engine.type": "podman"
"Server": { "HttpsPort": "443", "ProxyMode": true }, "container": { "engine": { "type": "podman" } }, "db": { "index": { "entry": { "disable": true
Restart the service:
sudo systemctl restart d1