Run Podman containers instead of Docker for RHEL v8.
Podman is a daemonless container engine for developing, managing, and running OCI Containers on the Linux System. Containers can either be run as root or in rootless mode.
If you use the Shell installer to install an engine, Cortex Xpanse automatically detects the container management type based on the operating system. For example, if your operating system is running RHEL v8 and higher, Cortex Xpanse installs Podman packages and configures the operating system to enable Podman in rootless mode.
Note
When upgrading an engine, the engine keeps the previously used container management type (regardless of distribution version).
By default, Podman uses the $HOME/.local/share/containers/storage
directory. To use a different directory for container storage, edit the Podman config file located at /home/demisto/.config/containers/storage.conf
. If the file does not exist, create it and change the ownership:
cp /etc/containers/storage.conf /home/demisto/.config/containers
chown demisto:demisto /home/demisto/.config/containers/storage.conf
To set a different directory for container storage, change the key: rootless_storage_path
in the storage.conf
file. For example, rootless_storage_path=/var/lib/containers/$USER/storage
The new storage directory needs to be owned by the demisto user, otherwise they will be denied access to it. To assign the demisto user ownership of the new storage directory, on the Linux command line, run chown -R demisto:demisto <NEW-LOCATION>
.
Do not use NAS storage for the $HOME directory. The directory needs to be a local directory for Podman to work.
Tip
We recommend reserving 150 GB for container storage, either in the /home partition or a different storage directory that you have set using the rootless_storage_path
key.
If using PowerShell integrations, you may need to configure the default SELinux policy as Podman can affect processes which mmap
to /dev/zero
.
Docker Hardening Guidelines
Docker hardening guidelines can be applied to Podman, with the exception of Limit Available Memory, Limit Available CPU, and Limit PIDS.