RH199 - ch16s07

Course update

An updated version of this course is available that uses a newer version of Red Hat Enterprise Linux in the lab environment. Therefore, the RHEL 9.0 version of the lab environment will retire on December 31, 2024. Please complete any work in this lab environment before it is removed on December 31, 2024. For the most up-to-date version of this course, we recommend moving to the RHEL 9.3 version.

Preface A: Introduction

Section A.1: RHCSA Rapid Track

Section A.2: Orientation to the Classroom Environment

Section A.3: Performing Lab Exercises

Chapter 1: Access Systems and Get Support

Section 1.1: Edit Text Files from the Shell Prompt

Section 1.2: Guided Exercise: Edit Text Files from the Shell Prompt

Section 1.3: Configure SSH Key-based Authentication

Section 1.4: Guided Exercise: Configure SSH Key-based Authentication

Section 1.5: Create a Diagnostics Report

Section 1.6: Guided Exercise: Create a Diagnostics Report

Section 1.7: Detect and Resolve Issues with Red Hat Insights

Section 1.8: Quiz: Detect and Resolve Issues with Red Hat Insights

Section 1.9: Summary

Chapter 2: Manage Files from the Command Line

Section 2.1: Describe Linux File System Hierarchy Concepts

Section 2.2: Quiz: Describe Linux File System Hierarchy Concepts

Section 2.3: Make Links Between Files

Section 2.4: Guided Exercise: Make Links Between Files

Section 2.5: Match File Names with Shell Expansions

Section 2.6: Quiz: Match File Names with Shell Expansions

Section 2.7: Lab: Manage Files from the Command Line

Section 2.8: Summary

Chapter 3: Manage Local Users and Groups

Section 3.1: Describe User and Group Concepts

Section 3.2: Quiz: Describe User and Group Concepts

Section 3.3: Gain Superuser Access

Section 3.4: Guided Exercise: Gain Superuser Access

Section 3.5: Manage Local User Accounts

Section 3.6: Guided Exercise: Manage Local User Accounts

Section 3.7: Manage Local Group Accounts

Section 3.8: Guided Exercise: Manage Local Group Accounts

Section 3.9: Manage User Passwords

Section 3.10: Guided Exercise: Manage User Passwords

Section 3.11: Lab: Manage Local Users and Groups

Section 3.12: Summary

Chapter 4: Control Access to Files

Section 4.1: Manage File System Permissions from the Command Line

Section 4.2: Guided Exercise: Manage File System Permissions from the Command Line

Section 4.3: Manage Default Permissions and File Access

Section 4.4: Guided Exercise: Manage Default Permissions and File Access

Section 4.5: Lab: Control Access to Files

Section 4.6: Summary

Chapter 5: Manage SELinux Security

Section 5.1: Change the SELinux Enforcement Mode

Section 5.2: Guided Exercise: Change the SELinux Enforcement Mode

Section 5.3: Control SELinux File Contexts

Section 5.4: Guided Exercise: Control SELinux File Contexts

Section 5.5: Adjust SELinux Policy with Booleans

Section 5.6: Guided Exercise: Adjust SELinux Policy with Booleans

Section 5.7: Investigate and Resolve SELinux Issues

Section 5.8: Guided Exercise: Investigate and Resolve SELinux Issues

Section 5.9: Lab: Manage SELinux Security

Section 5.10: Summary

Chapter 6: Tune System Performance

Section 6.1: Kill Processes

Section 6.2: Guided Exercise: Kill Processes

Section 6.3: Monitor Process Activity

Section 6.4: Guided Exercise: Monitor Process Activity

Section 6.5: Adjust Tuning Profiles

Section 6.6: Guided Exercise: Adjust Tuning Profiles

Section 6.7: Influence Process Scheduling

Section 6.8: Guided Exercise: Influence Process Scheduling

Section 6.9: Lab: Tune System Performance

Section 6.10: Summary

Chapter 7: Schedule Future Tasks

Section 7.1: Schedule Recurring User Jobs

Section 7.2: Guided Exercise: Schedule Recurring User Jobs

Section 7.3: Schedule Recurring System Jobs

Section 7.4: Guided Exercise: Schedule Recurring System Jobs

Section 7.5: Manage Temporary Files

Section 7.6: Guided Exercise: Manage Temporary Files

Section 7.7: Quiz: Schedule Future Tasks

Section 7.8: Summary

Chapter 8: Install and Update Software Packages

Section 8.1: Register Systems for Red Hat Support

Section 8.2: Quiz: Register Systems for Red Hat Support

Section 8.3: Install and Update Software Packages with DNF

Section 8.4: Guided Exercise: Install and Update Software Packages with DNF

Section 8.5: Enable DNF Software Repositories

Section 8.6: Guided Exercise: Enable DNF Software Repositories

Section 8.7: Lab: Install and Update Software Packages

Section 8.8: Summary

Chapter 9: Manage Basic Storage

Section 9.1: Mount and Unmount File Systems

Section 9.2: Guided Exercise: Mount and Unmount File Systems

Section 9.3: Add Partitions, File Systems, and Persistent Mounts

Section 9.4: Guided Exercise: Add Partitions, File Systems, and Persistent Mounts

Section 9.5: Manage Swap Space

Section 9.6: Guided Exercise: Manage Swap Space

Section 9.7: Lab: Manage Basic Storage

Section 9.8: Summary

Chapter 10: Manage Storage Stack

Section 10.1: Create and Extend Logical Volumes

Section 10.2: Guided Exercise: Create and Extend Logical Volumes

Section 10.3: Lab: Manage Storage Stack

Section 10.4: Summary

Chapter 11: Control Services and Boot Process

Section 11.1: Identify Automatically Started System Processes

Section 11.2: Guided Exercise: Identify Automatically Started System Processes

Section 11.3: Control System Services

Section 11.4: Guided Exercise: Control System Services

Section 11.5: Select the Boot Target

Section 11.6: Guided Exercise: Select the Boot Target

Section 11.7: Reset the Root Password

Section 11.8: Guided Exercise: Reset the Root Password

Section 11.9: Repair File-system Issues at Boot

Section 11.10: Guided Exercise: Repair File-system Issues at Boot

Section 11.11: Lab: Control the Boot Process

Section 11.12: Summary

Chapter 12: Analyze and Store Logs

Section 12.1: Describe System Log Architecture

Section 12.2: Quiz: Describe System Log Architecture

Section 12.3: Review Syslog Files

Section 12.4: Guided Exercise: Review Syslog Files

Section 12.5: Review System Journal Entries

Section 12.6: Guided Exercise: Review System Journal Entries

Section 12.7: Preserve the System Journal

Section 12.8: Guided Exercise: Preserve the System Journal

Section 12.9: Maintain Accurate Time

Section 12.10: Guided Exercise: Maintain Accurate Time

Section 12.11: Lab: Analyze and Store Logs

Section 12.12: Summary

Chapter 13: Manage Networking

Section 13.1: Validate Network Configuration

Section 13.2: Guided Exercise: Validate Network Configuration

Section 13.3: Configure Networking from the Command Line

Section 13.4: Guided Exercise: Configure Networking from the Command Line

Section 13.5: Edit Network Configuration Files

Section 13.6: Guided Exercise: Edit Network Configuration Files

Section 13.7: Configure Hostnames and Name Resolution

Section 13.8: Guided Exercise: Configure Hostnames and Name Resolution

Section 13.9: Lab: Manage Networking

Section 13.10: Summary

Chapter 14: Access Network-Attached Storage

Section 14.1: Manage Network-Attached Storage with NFS

Section 14.2: Guided Exercise: Manage Network-Attached Storage with NFS

Section 14.3: Automount Network-Attached Storage

Section 14.4: Guided Exercise: Automount Network-Attached Storage

Section 14.5: Lab: Access Network-Attached Storage

Section 14.6: Summary

Chapter 15: Manage Network Security

Section 15.1: Manage Server Firewalls

Section 15.2: Guided Exercise: Manage Server Firewalls

Section 15.3: Control SELinux Port Labeling

Section 15.4: Guided Exercise: Control SELinux Port Labeling

Section 15.5: Lab: Manage Network Security

Section 15.6: Summary

Chapter 16: Run Containers

Section 16.1: Container Concepts

Section 16.2: Quiz: Container Concepts

Section 16.3: Deploy Containers

Section 16.4: Guided Exercise: Deploy Containers

Section 16.5: Manage Container Storage and Network Resources

Section 16.6: Guided Exercise: Manage Container Storage and Network Resources

SectionSection 16.7: Manage Containers as System Services

Section 16.8: Guided Exercise: Manage Containers as System Services

Section 16.9: Lab: Run Containers

Section 16.10: Summary

Chapter 17: Comprehensive Review

Section 17.1: Comprehensive Review

Section 17.2: Lab: Fix Boot Issues and Maintain Servers

Section 17.3: Lab: Configure and Manage File Systems and Storage

Section 17.4: Lab: Configure and Manage Server Security

Section 17.5: Lab: Run Containers

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

Manage Containers as System Services

Objectives

Configure a container as a systemd service, and configure a container service to start at boot time.

Manage Small Container Environments with systemd Units

You can run a container to complete a system task or to obtain the output of a series of commands. You also might want to run containers that run a service indefinitely, such as web servers or databases. In a traditional environment, a privileged user typically configures these services to run at system boot, and manages them with the systemctl command.

As a regular user, you can create a systemd unit to configure your rootless containers. You can use this configuration to manage your container as a regular system service with the systemctl command.

Managing containers based on systemd units is mainly useful for basic and small deployments that do not need to scale. For more sophisticated scaling and orchestration of many container-based applications and services, you can use an enterprise orchestration platform that is based on Kubernetes, such as Red Hat OpenShift Container Platform.

To discuss the topics in this lecture, imagine the following scenario.

As a system administrator, you are tasked to configure the webserver1 container that is based on the http24 container image to start at system boot. You must also mount the /app-artifacts directory for the web server content and map the 8080 port from the local machine to the container. Configure the container to start and stop with systemctl commands.

Requirements for systemd User Services

As a regular user, you can enable a service with the systemctl command. The service starts when you open a session (graphical interface, text console, or SSH), and it stops when you close the last session. This behavior differs from a system service, which starts when the system boots and stops when the system shuts down.

By default, when you create a user account with the useradd command, the system uses the next available ID from the regular user ID range. The system also reserves a range of IDs for the user's containers in the /etc/subuid file. If you create a user account with the useradd command --system option, then the system does not reserve a range for the user containers. As a consequence, you cannot start rootless containers with system accounts.

You decide to create a dedicated user account to manage containers. You use the useradd command to create the appdev-adm user, and use redhat as the password.

[user@host ~]$ sudo useradd appdev-adm
[user@host ~]$ sudo passwd appdev-adm
Changing password for user appdev-adm.
New password: redhat
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: redhat
passwd: all authentication tokens updated successfully.

You then use the su command to switch to the appdev-adm user, and you start to use the podman command.

[user@host ~]$ su appdev-adm
Password: redhat
[appdev-adm@host ~]$ podman info
ERRO[0000] XDG_RUNTIME_DIR directory "/run/user/1000" is not owned by the current user
[appdev-adm@host ~]$

Podman is a stateless utility and requires a full login session. Podman must be used within an SSH session, and cannot be used in a sudo or an su shell. So you exit the su shell and log in to the machine via SSH.

[appdev-adm@host ~]$ exit
[user@host ~]$ exit
[user@example ~]$ ssh appdev-adm@host
[appdev-adm@host ~]$

You then configure the container registry and authenticate with your credentials. You run the http container with the following command.

[appdev-adm@host ~]$ podman run -d --name webserver1 -p 8080:8080 -v \
~/app-artifacts:/var/www/html:Z registry.access.redhat.com/ubi8/httpd-24
cde4a3d8c9563fd50cc39de8a4873dcf15a7e881ba4548d5646760eae7a35d81
[appdev-adm@host ~]$ podman ps
CONTAINER ID  IMAGE                                            COMMAND               CREATED        STATUS            PORTS                   NAMES
cde4a3d8c956  registry.access.redhat.com/ubi8/httpd-24:latest  /usr/bin/run-http...  4 seconds ago  Up 5 seconds ago  0.0.0.0:8080->8080/tcp  webserver1

Note

Remember to provide the right access to the directory that you mount from the host file system to the container. For any error when running a container, you can use the podman container logs command for troubleshooting.

Create systemd User Files for Containers

You can manually define systemd services in the ~/.config/systemd/user/ directory. The file syntax for user services is the same as for the system services files. For more details, review the systemd.unit(5) and systemd.service(5) man pages.

Use the podman generate systemd command to generate systemd service files for an existing container. The podman generate systemd command uses a container as a model to create the configuration file.

The podman generate systemd command --new option instructs the podman utility to configure the systemd service to create the container when the service starts, and to delete the container when the service stops.

Important

Without the --new option, the podman utility configures the service unit file to start and stop the existing container without deleting it.

You use the podman generate systemd command with the --name option to display the systemd service file that is modeled for the webserver1 container.

[appdev-adm@host ~]$ podman generate systemd --name webserver1
...output omitted...
ExecStart=/usr/bin/podman start webserver1 
ExecStop=/usr/bin/podman stop -t 10 webserver1 
ExecStopPost=/usr/bin/podman stop -t 10 webserver1
...output omitted...

	On start, the `systemd` daemon executes the `podman start` command to start the existing container.
	On stop, the `systemd` daemon executes the `podman stop` command to stop the container. Notice that the `systemd` daemon does not delete the container on this action.

You then use the previous command with the addition of the --new option to compare the systemd configuration.

[appdev-adm@host ~]$ podman generate systemd --name webserver1 --new
...output omitted...
ExecStartPre=/bin/rm -f %t/%n.ctr-id
ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --rm --sdnotify=conmon --replace -d --name webserver1 -p 8080:8080 -v /home/appdev-adm/app-artifacts:/var/www/html:Z registry.access.redhat.com/ubi8/httpd-24 
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id 
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id 
...output omitted...

	On starting, the `systemd` daemon executes the `podman run` command to create and then start a new container. This action uses the `podman run` command `--rm` option, which removes the container on stopping.
	On stopping, `systemd` executes the `podman stop` command to stop the container.
	After `systemd` stops the container, `systemd` removes it by using the `podman rm -f` command.

You verify the output of the podman generate systemd command, and run the previous command with the --files option to create the systemd user file in the current directory. Because the webserver1 container uses persistent storage, you choose to use the podman generate systemd command with the --new option. You then create the ~/.config/systemd/user/ directory and move the file to this location.

[appdev-adm@host ~]$ podman generate systemd --name webserver1 --new --files
/home/appdev-adm/container-webserver1.service
[appdev-adm@host ~]$ mkdir -p ~/.config/systemd/user/
[appdev-adm@host ~]$ mv container-webserver1.service ~/.config/systemd/user/

Manage systemd User Files for Containers

Now that you created the systemd user file, you can use the systemctl command --user option to manage the webserver1 container.

First, you reload the systemd daemon to make the systemctl command aware of the new user file. You use the systemctl --user start command to start the webserver1 container. Use the name of the generated systemd user file for the container.

[appdev-adm@host ~]$ systemctl --user daemon-reload
[appdev-adm@host ~]$ systemctl --user start container-webserver1.service
[appdev-adm@host ~]$ systemctl --user status container-webserver1.service
● container-webserver1.service - Podman container-webserver1.service
     Loaded: loaded (/home/appdev-adm/.config/systemd/user/container-webserver1.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2022-04-28 21:22:26 EDT; 18s ago
       Docs: man:podman-generate-systemd(1)
    Process: 31560 ExecStartPre=/bin/rm -f /run/user/1003/container-webserver1.service.ctr-id (code=exited, status=0/SUCCESS)
   Main PID: 31600 (conmon)
...output omitted...
[appdev-adm@host ~]$ podman ps
CONTAINER ID  IMAGE                                            COMMAND               CREATED         STATUS             PORTS                   NAMES
18eb00f42324  registry.access.redhat.com/ubi8/httpd-24:latest  /usr/bin/run-http...  28 seconds ago  Up 29 seconds ago  0.0.0.0:8080->8080/tcp  webserver1
Created symlink /home/appdev-adm/.config/systemd/user/default.target.wants/container-webserver1.service → /home/appdev-adm/.config/systemd/user/container-webserver1.service.

Important

When you configure a container with the systemd daemon, the daemon monitors the container status and restarts the container if it fails. Do not use the podman command to start or stop these containers. Doing so might interfere with the systemd daemon monitoring.

The following table summarizes the directories and commands that are used between systemd system and user services.

Table 16.3. Comparing System and User Services

Storing custom unit files	System services	`/etc/systemd/system/unit.service`
Storing custom unit files	User services	`~/.config/systemd/user/unit.service`
Reloading unit files	System services	# `systemctl daemon-reload`
Reloading unit files	User services	$ `systemctl --user daemon-reload`
Starting and stopping a service	System services	# `systemctl start UNIT` # `systemctl stop UNIT`
Starting and stopping a service	User services	$ `systemctl --user start UNIT` $ `systemctl --user stop UNIT`
Starting a service when the machine starts	System services	# `systemctl enable UNIT`
Starting a service when the machine starts	User services	$ `loginctl enable-linger` $ `systemctl --user enable UNIT`

Configure Containers to Start at System Boot

At this point, the systemd service configuration is ready to run a container for a given user. However, the systemd service stops the container after a certain time if the user logs out from the system. This behavior occurs because the systemd service unit was created with the --user option, which starts a service at user login and stops it at user logout.

You can change this default behavior, and force your enabled services to start with the server and stop during the shutdown, by running the loginctl enable-linger command.

You use the loginctl command to configure the systemd user service to persist after the last user session of the configured service closes. You then verify the successful configuration with the loginctl show-user command.

[user@host ~]$ loginctl show-user appdev-adm
...output omitted...
Linger=no
[user@host ~]$ loginctl enable-linger
[user@host ~]$ loginctl show-user appdev-adm
...output omitted...
Linger=yes

To revert the operation, use the loginctl disable-linger command.

Manage Containers as Root with systemd

You can also configure containers to run as root and manage them with systemd service files. One advantage of this approach is that you can configure the service files to work the same as common systemd unit files, rather than as a particular user.

The procedure to set the service file as root is similar to the previously outlined procedure for rootless containers, with the following exceptions:

Do not create a dedicated user for container management.
The service file must be in the /etc/systemd/system directory instead of in the ~/.config/systemd/user directory.
You manage the containers with the systemctl command without the --user option.
Do not run the loginctl enable-linger command as the root user.

For a demonstration, see the YouTube video from the Red Hat Videos channel that is listed in the References at the end of this section.

References

loginctl(1), systemd.unit(5), systemd.service(5), subuid(5), and podman-generate-systemd(1) man pages

Managing Containers in Podman with Systemd Unit Files

For more information, refer to the Running Containers as Systemd Services with Podman chapter in the Red Hat Enterprise Linux 9 Building, Running, and Managing Containers guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/building_running_and_managing_containers/index

Revision: rh199-9.0-4fecb06