Category: <span>podman</span>

Published 26/11/2025

Podman pull images behind a corporate proxy

Today, I set out to pull an image from Docker Hub on a RHEL 9 system using Podman. This step was part of my journey to install Watson Code Assistant for Z. While Podman is a great alternative to Docker on RHEL, the process had its quirks—especially when working with enterprise environments and specialized tools like Watson Code Assistant. In this post, I’ll share what worked, what didn’t, and some tips to make the setup smoother for anyone tackling the same challenge.

I can simulate the error using podman pull:

podman pull docker.io/library/orientdb:3.2.28

Trying to pull docker.io/library/orientdb:3.2.28…

WARN[0000] Failed, retrying in 1s ... (1/3). Error: initializing source docker://orientdb:3.2.28: pinging container registry registry-1.docker.io: Get "https://registry-1.docker.io/v2/": read tcp 123.123.3.60:35924->98.90.233.146:443: read: connection reset by peer

WARN[0001] Failed, retrying in 1s ... (2/3). Error: initializing source docker://orientdb:3.2.28: pinging container registry registry-1.docker.io: Get "https://registry-1.docker.io/v2/": read tcp 123.123.3.60:57270->52.2.233.225:443: read: connection reset by peer

WARN[0003] Failed, retrying in 1s ... (3/3). Error: initializing source docker://orientdb:3.2.28: pinging container registry registry-1.docker.io: Get "https://registry-1.docker.io/v2/": read tcp 123.123.3.60:59134->3.93.227.105:443: read: connection reset by peer

Error: unable to copy from source docker://orientdb:3.2.28: initializing source docker://orientdb:3.2.28: pinging container registry registry-1.docker.io: Get "https://registry-1.docker.io/v2/": read tcp 123.24.3.60:57266->44.220.224.219:443: read: connection reset by peer

In most cases, the standard approach to enable image pulling behind a corporate proxy is to set the appropriate environment variables. This typically involves exporting your proxy settings like so:

export http_proxy="http://<proxy-host>:<proxy-port>"
export https_proxy="http://<proxy-host>:<proxy-port>"
export no_proxy="localhost,127.0.0.1"

The standard approach does not work, so i configure the proxy Globaly on RHEL 9

Create or edit the file /etc/environment (this affects all users and most services):

sudo vi /etc/environment

Add the following lines (replace with your actual proxy details):

http_proxy=”http://proxy.example.com:8080″
https_proxy=”http://proxy.example.com:8080″
ftp_proxy=”http://proxy.example.com:8080″

If your proxy requires authentication use these lines:
http_proxy=”http://username:[email protected]:8080″
https_proxy=”http://username:[email protected]:8080″

No-proxy (local networks, internal hosts) – very important!. Change the example bellow for your network

no_proxy=”localhost,127.0.0.1,::1,.example.com,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12″
NO_PROXY=”localhost,127.0.0.1,::1,.example.com,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12″

Save the file and source it:

source /etc/environment

podman pull docker.io/library/orientdb:3.2.28
Trying to pull docker.io/library/orientdb:3.2.28…
Getting image source signatures
Copying blob sha256:2d2472ac6840da0115175cae8b0be8d1b8c2b6b74acb5fc6bf185b0c9333b8a3
Copying blob sha256:9b076355b79badd38bc5732aebeb48133934a0adae078e4a6bf52c7d9d7a4a82
Copying blob sha256:0dde1d053504a51dc52d89eb36d703df02afbbc274b25ac00c02fe219e2d6f7c
Copying blob sha256:bd259c2f39c587be8bdd17660976c6158388173b58e226f2b5095d399cf658f2
Copying blob sha256:a22bcaede3cb82201c2804d7a050cbf18f994bd6f0b34f3ec133a47cc3c24ca9
Copying blob sha256:c050069391baee7bb13200b3297c944c954a22f0428769272d51e6cba8118a36
Copying blob sha256:42b80092d7e24557b10ea1e44542f6f887201fe9b56381a4a477cfbf9f2fc099
Copying config sha256:26cbda2db34c77dd8240b721da4177c6b43d6148f50d1ff15b81ce6c5c8869a9
Writing manifest to image destination
26cbda2db34c77dd8240b721da4177c6b43d6148f50d1ff15b81ce6c5c8869a9

podman

Published 06/03/2023

Error when login using CP4Data CLI command line

Today i got the following error when i try to run the command :
./cpd-cli manage login-entitled-registry ${IBM_ENTITLEMENT_KEY}

Run command: podman run -d –name olm-utils-play –env CMD_PREFIX=manage -v /opt/cpd-cli-linux-EE-12.0.2-39/cpd-cli-workspace/olm-utils-workspace/work:/tmp/work icr.io/cpopen/cpd/olm-utils:latest[ERROR] 2023-03-06T12:41:55.991666Z Command exception: Failed to start the olm-utils-play container: Error: runc: container_linux.go:370: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied (exit status 126)[ERROR] 2023-03-06T12:41:55.998354Z RunPluginCommand:Execution error: exit status 1

This error happened due to runc version too low. My bastion host is RHEL 8.4. To solve the problem i just updated the Linux, and everything works.

Cloud openshift podman

cli cp4d

Published 07/12/2021

A rootless Pod for wordpress

Podman Pods are very similar to Kubernetes pods in a way that they can have more than one container.

Every Podman pod contains one infra container by default. This container is responsible for associating the names space with the pod and allowing podman to connect the containers to another pod.

Create a Pod using Podman

The first step is to create a Pod using podman:

sudo podman pod create –name <podname>

For our example we will create a pod with the name wp-pod

sudo podman pod create -p 8080:80 --name wp-pod

After creating the Pod you can see the infra container using the command:

sudo podman pod ps -a --pod

Note that host port 8080 has been redirected to port 80 of the pod. Pod port settings should always be made when creating the pod. You cannot reset this later.

Adding containers to a Pod

To add a container to a pod we use the –pod option when using the comand podman run.

sudo podman run -d --name <container name> --pod <podname> <imagename>

Creating a container using the mariadb image

To run the workpress we need a database. In this case I will use the image of mariadb and add it in the pod wp-pod

sudo podman run -d --restart=always –-pod wp-pod \

-e MYSQL_ROOT_PASSWORD="myrootpass" \

-e MYSQL_DATABASE="wpdb" \

-e MYSQL_USER="wpuser" \

-e MYSQL_PASSWORD="w0rdpr3ss" \

--name=wp-db registry.access.redhat.com/rhscl/mariadb-100-rhel7

Next we will create a wordpress container, add it to the pod and connect it to the previously created database.

sudo podman run -d --restart=always --pod wp-pod \

-e WORDPRESS_DB_NAME="wpdb" \

-e WORDPRESS_DB_USER="wpuser" \

-e WORDPRESS_DB_PASSWORD="w0rdpr3ss" \

-e WORDPRESS_DB_HOST="127.0.0.1" --name wp-web wordpress

To verify that if everything is working, run:

 curl http://localhost:8080/wp-admin/install.php.

The text corresponding to an html  page will appear in the console:

!DOCTYPE html><html lang="en-US" xml:lang="en-US"><head>

<meta name="viewport" content="width=device-width" /> 

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />     

  <meta name="robots" content="noindex,nofollow" /> 

  <title>WordPress &rsaquo; Installation</title>

  <link rel='stylesheet' id='dashicons-css'  href='http://localhost:8080/wp-includes/css/dashicons.min.css?ver=5.8.2' type='text/css' media='all' />…

So far, we have a pod with 3 containers: infra, wp-db and wp-web.  The pod is running as root and also does not have a volume associated for data persistence.

Rootless Podman

Rootless podman (running Podman as a non-root user) needs to do some gymnastics to get the same container experience you’re familiar with from docker, but without requiring root.

When you run rootless podman, it uses a user namespace to map between the user IDs in the container and the user IDs on your host.

All rootless containers run by you, are run inside the same user namespace.

By using the same user namespace, your containers can share resources with each other, without needing to ask for root privileges.

It uses this user namespace to mount filesystems, or run a container which accesses more than one user ID (UID) or group ID (GID).

This mapping is fine for most situations, except when the container needs to be able to share something with the host, like a volume.

When the container runs, any volumes which are shared with it, will appear inside the user namespace as owned by root/root.

Because the mapping will map your UID on the host (e.g. 1000) as root (0) in the container.

This means that if you’re running your container process as a non-root user, it won’t be able to write to that directory and I don’t want to disable SELinux.

This is where podman unshare comes in.

Running WP-POD as a rootless POD and use a volume to persist data

First we need to create a directory so that it can be used by the container

mkdir /home/<username>/dbfiles

Using the podman inspect command we can see that the mariadb container uses user 27

We then execute the command:  podman unshare chown 27:27 -R /home/kenio/dbfiles

To remove the previously created pod:

sudo  podman pod stop wp-pod

sudo podman pod rm wp-pod

Perform the following steps to create the wp-pod as rootless:

podman pod create --name=wp-pod -p 8080:80

podman run -d --restart=always \

-v /home/kenio/dbfiles:/var/lib/mysql/data:Z --pod wp-pod \

-e MARIADB_ROOT_PASSWORD="password" \

-e MYSQL_ROOT_PASSWORD="password" \

-e MYSQL_DATABASE="wpdb" \

-e MYSQL_USER="wpuser" \

-e MYSQL_PASSWORD="w0rdpr3ss"  \

--name=wp-db registry.access.redhat.com/rhscl/mariadb-100-rhel7

 

Note that I add the :Z flag to the volume. This tells Podman to label the volume content as “private unshared” with SELinux.

This label allows the container to write to the volume, but doesn’t allow the volume to be shared with other containers.

 

podman run  -d --restart=always --pod=wp-pod \

-e WORDPRESS_DB_NAME="wpdb" \

-e WORDPRESS_DB_USER="wpuser" \

-e WORDPRESS_DB_PASSWORD="w0rdpr3ss" \

-e WORDPRESS_DB_HOST="127.0.0.1" --name wp-web wordpress

Use curl://localhost:8080/wp-admin/install.php and verify if everything is running.

Use podman logs –names <container name> para verificar os logs dos containers

I am using RHEL 8.3 and podman is version 3.2.3

If you want to access the worpress pod from external machine, in my case, I need to setup the firewall:

sudo firewall-cmd --add-port=8080/tcp --permanent

sudo firewall-cmd –reload

 

Many thanks for Tone Donohue for his article about rootless podman.

https://www.tutorialworks.com/podman-rootless-volumes/

docker Linux podman

podman