RHEL8 Container toolkit

Overview

Due to the Docker replacement and following the Unix/Linux philosophy (avoid having one binary/command to do everything), new tools have been created:

buildah: A tool and library for building Open Container Initiative (OCI) container images.
podman: A daemon-less CLI/API for running, managing, and debugging OCI containers and pods.
scopeo: A command line utility that performs various operations on container images and image repositories.

Buildah

A daemon-less tool for building and modifying OCI/Docker images that:

Preserves existing Dockerfile workflow
Allows fine-grained control over image layers, the content, and commits
Lets you minimize container images by using tools from the container host rather than adding them in the image
Shares the underlying image and storage components with Podman and CRI-O

Additional Characteristics

It is a tool and library for building Open Container Initiative (OCI) container images.
It creates a rootfs directory on disk and allow other tools to populate the directory, then creates the container configuration JSON file.
It allows you to push images to a container registry where it could be used by any container engine, like Docker, Podman, CRI-O, or another Buildah.
It supports Dockerfiles.
It allows developers to build images without root.

Some Examples

Build a container from a Dockerﬁle: use a Dockerﬁle to build a new container image (buildah bud).
Build a container from another image or scratch: build a new container, starting with an existing base image (buildah from <imagename>) or from scratch (buildah from scratch).
Inspecting a container or image: view metadata associated with the container or image (buildah inspect).
Mount a container: mount a container’s root ﬁlesystem to add or change content (buildah mount).
Create a new container layer: use the updated contents of a container’s root ﬁlesystem as a ﬁlesystem layer to commit content to a new image (buildah commit).
Unmount a container: unmount a mounted container (buildah umount).
Delete a container or an image: remove a container (buildah rm) or a container image (buildah rmi).

Podman

A daemon-less CLI/API for running, managing, and debugging OCI containers and pods.

Main features

Fast and lightweight
More secure: no daemon
Uses runC
Provides a ‘docker-style’ syntax for working with containers
Standard CNI networking
Remote management API via Varlink
Provides Systemd integration and advanced namespace isolation
Compatible with Docker images
More than just Docker, it can also manage pods

Syntax

Podman syntax is identical to Docker’s in most cases
Tip: alias docker=’podman’

Scopeo

A comprehensive tool and library to inspect, sign, and transfer images.

Main features

Inspect image manifests
Sign and verify image manifests
Push/pull images
Currently the only tool capable of copying images between registries
Disconnected environments
Same code base as the/containers/image library which is used by buildah, podman, and CRI-O

Some examples

It is a command line utility that performs various operations on container images and image repositories.
It allows to copy an image from and to various storage mechanisms. For example you can copy images from one registry to another, without requiring privilege.
It can inspect a remote image showing its properties including its layers, without requiring you to pull the image to the host.
It can delete an image from an image repository.
When required by the repository, skopeo can pass the appropriate credentials and certificates for authentication.
It can sign and verify image manifests.

Source: Crunchtools website.