Podman, but with steroids for building and auditing containers
10K+
Podman, but bundled with "steroids", for building and auditing containers, and managing repositories
This image contains tools for building, auditing and publishing OCI and Docker images and containers in small image (<180MB with Alpine variants). It contains:
At the time of this writing, only Alpine Linux is available as the base underlying container system. But more are planned due to glib tools
<version>)These are the defacto images. They are built on top of the latest stable version of Alpine Linux, and all the architecture emulators from Qemu are installed.
<version>-minimal)The minimal variants have limited foreign architecture emulation support, supporting only ARM (arm/v7, arm64/v8 - little endian variant) and x86 (386 and amd64) architectures for the sake of smaller pull sizes (<150 MB) compared to the default variant.
These are the most popular architectures and the built images will be able to be executed in most machines, including Apple MacOS devices (Apple Silicon or Intel CPUs), Linux with x86 CPU (AMD/Intel) or ARM v7 (like Raspberry Pi 2 or higher), and WSL - Windows Subsystem for Linux.
There may be some scenarios where these images will be able to build for other architectures, such like
arm/v5orarm/v6(due to some compatibility witharm/v7), but they are not supported.
For a larger list of architectures, use the default variant which has all Qemu emulators available
In the future, we may remove support for 32-bit architectures (i.e. arm/v7 and 386) for even smaller pulls.
<version>-edge)The Alpine "Edge" variants include the latest version of Podman and friends available in Alpine Edge repository, but the upstream compatibility is not guaranteed.
Use it with caution in development environments to know what is coming next from upstream packages. But avoid usage in production environments for stability purpose.
For more information on Alpine Edge, check Repositories page in their Wiki
These images are automatically updated on a weekly basis. Attestations, SBOM and Signatures are attached to the image digests:
application/cyclonedx+json) format. CycloneDX is a modern standard for the software supply chainapplication/vnd.syft+json) format. Syft SBOMs are good for using in conjunction with Grype for vulnerability scanningNOTE: Until 2023-08-13, the attestations were in SPDX in JSON (application/spdx+json) format.
Other OCI artifacts are pushed to this repository. They include the License, Public Key and README with the following tags
DATE datetime. Useful if the latest license was updatedDATE datetime. Useful when the keys used to sign the old image and artificats got rotatedDATE datetime. Useful if the latest README was updated.The public keys can be used to validate the authenticity of the images and artifacts. They can be used as below
## Display signatures and artifacts related to image
$ cosign triangulate docker.io/redemonbr/podman-steroids:latest
$ cosign tree docker.io/redemonbr/podman-steroids:latest
## Pulls/Downloads the public key (it will be saved as cosign.pub)
$ oras pull docker.io/redemonbr/podman-steroids:publickey
## Verify image (via manifest/tag or digest), SBOM and attestation
$ cosign verify --key cosign.pub docker.io/redemonbr/podman-steroids:latest
$ cosign verify --key cosign.pub docker.io/redemonbr/podman-steroids@sha256:...
$ cosign verify --attachment sbom --key cosign.pub docker.io/redemonbr/podman-steroids@sha256:...
$ cosign verify-attestation --type cyclonedx --key cosign.pub docker.io/redemonbr/podman-steroids@sha256:...
All environment variables inherited from bundled packages and tools are respected, like BUILDAH_FORMAT, STORAGE_DRIVER CONTAINER_SSHKEY etc.
This image implements only one environment variable to customize its behavior:
0 or false, it will not suppress the qemu-binfmt-conf.sh output on entrypoint. Output is suppressed by default. Default value is 1 which supresses the output--privileged for running Podman inside a Podman containerFor running with privileged access. Using podman as example, but also works with Docker engine too
###### IN HOST MACHINE ######
$ podman run --privileged --rm --name podman-steroids -it docker.io/redemonbr/podman-steroids:latest /bin/bash
###### INSIDE CONTAINER ######
## run command inside another Ubuntu container
$ podman run --rm --name ubuntu docker.io/ubuntu:latest "echo hello world from ubuntu container"
## generate SBOM from Ubuntu image
$ syft packages --output syft-json --file syft-sbom.json registry:docker.io/ubuntu:latest
## scan SBOM from Ubuntu SBOM
$ grype sbom:./syft-sbom.json
--privileged for running Podman in DockerIn host machine, with Docker installed:
# docker run --privileged --rm --name podman-steroids redemonbr/podman-steroids:latest podman version
Using GitLab Container Registry as example.
Also, for the examples including signature, it is required to have a cosign pair of keys (how to generate) stored in GitLab CI Secrets:
File with the contents of the private keyFile with the contents of the public keyVariable with the password. Remember to mask itAlso, some variables are predefined by GitLab CI, including CI_REGISTRY, CI_REGISTRY_USER, CI_REGISTRY_PASSWORD, and CI_PROJECT_PATH. More information on GitLab CI's Predefined variables
Simple build and push
build:
stage: build
image: redemonbr/podman-steroids:latest
variables:
IMAGE_REPO: $CI_REGISTRY/$CI_PROJECT_PATH/my-image
TAG: example
script:
- podman login --username $CI_REGISTRY_USER --password $CI_REGISTRY_PASSWORD $CI_REGISTRY
- podman build --tag $IMAGE_REPO:$TAG .
- podman push $IMAGE_REPO:$TAG
Build an image, sign the image, generate and attach SBOM (Software Bill of Materials) and attestation to the image in remote repository.
NOTE: This considers COSIGN_PRIVATE_KEY and COSIGN_PUBLIC_KEY are set in GitLab CI secrets
build:
stage: build
image: redemonbr/podman-steroids:latest
variables:
IMAGE_REPO: $CI_REGISTRY/$CI_PROJECT_PATH/my-image
TAG: example
before_script:
- podman login --username $CI_REGISTRY_USER --password $CI_REGISTRY_PASSWORD $CI_REGISTRY
- cosign login --username $CI_REGISTRY_USER --password $CI_REGISTRY_PASSWORD $CI_REGISTRY
script:
- podman build --squash --jobs $(nproc) --tag $IMAGE_REPO:$TAG.
- podman push $IMAGE_REPO:$TAG
## Sign the image and push signature, and then verify
- cosign sign --yes --key $COSIGN_PRIVATE_KEY $IMAGE_REPO:$TAG
- cosign verify --key $COSIGN_PUBLIC_KEY $IMAGE_REPO:$TAG
## Generate SBOM, attach it to remote container registry, sign and then verify
- syft packages --output syft-json --file syft-sbom.json $IMAGE_REPO:$TAG
- cosign attach sbom --type syft --sbom syft-sbom.json $IMAGE_REPO:$TAG
- cosign sign --yes --attachment sbom --key $COSIGN_PRIVATE_KEY $IMAGE_REPO:$TAG
- cosign verify --attachment sbom --key $COSIGN_PUBLIC_KEY $IMAGE_REPO:$TAG
## Scan the SBOM for vulnerabilities
- grype sbom:./syft-sbom.json
## Generate attestation, attach it to remote container registry and then verify it
- syft packages --output cyclonedx-json --file cyclonedx-sbom.json $IMAGE_REPO:$TAG
- cosign attest --yes --type cyclonedx --predicate cyclonedx-sbom.json --key $COSIGN_PRIVATE_KEY $IMAGE_REPO:$TAG
- cosign verify-attestation --type cyclonedx --key $COSIGN_PUBLIC_KEY $IMAGE_REPO:$TAG
For more information, check our own repository that generates this very own image
Build a multi-arch image using manifests (instead of tags) and pushing it to remote Container Registry.
build:
stage: build
image: redemonbr/podman-steroids:latest
variables:
IMAGE_REPO: docker.io/namespace/my-image
REGISTRY_USER: my-user
REGISTRY_PASSWORD: password-safely-stored-in-secret-manager
MANIFEST_NAME: example
PLATFORMS: linux/amd64,linux/i386,linux/arm64/v8,linux/arm/v7
before_script:
- podman login --username $REGISTRY_USER --password $REGISTRY_PASSWORD docker.io
- cosign login --username $REGISTRY_USER --password $REGISTRY_PASSWORD docker.io
script:
- podman build --squash --jobs $(nproc) --platform $PLATFORMS --manifest $IMAGE_REPO:$MANIFEST_NAME .
- podman manifest push $IMAGE_REPO:$MANIFEST_NAME $IMAGE_REPO:$MANIFEST_NAME
## signing recursively all platforms included in manifest list
- cosign sign --yes --key $COSIGN_PRIVATE_KEY --recursive $IMAGE_REPO:$MANIFEST_NAME
For more usage with GitLab CI, please check the source code of this own project and to see how it uses GitLab CI for automated builds
Podman uses Buildah for building container images.
While Buildah and Podman are happy to use base images and COPY/ADD-ing resources from foreign platforms during builds, the RUN instructions require emulation provided by QEMU.
For the RUN instructions to be emulated, QEMU relies on hypervisors (aka accelerators), such like KVM, from the host machine.
If the host machine does not supported them, the RUN instructions will potentially fail for foreign platforms.
Even without KVM, QEMU is, under certain circumstances (like newer versions of Linux Kernel, high-spec hosts etc), able to emulate foreign platforms but with a lower performance. For more information about QEMU accelerators support, read QEMU documentation.
Most of cloud Virtual Private Server providers do not provide virtual machines with KVM support. So if you are using custom CI runners on the cloud or using this in a virtual machine, please be sure to check if the host machine has KVM support.
For more information:
This project hosts a living document of how to make Docker emulate foreign architectures, for running and building containers. The rdnxk's custom GitLab CI runners use Docker, similar to the one used in the tutorial.
Check the multi-arch docker tutorial
These are the plans for the upcoming releases. We don't promise anything but we want to track it when we have some time:
glib and friendsContent type
Unrecognized
Digest
sha256:f535d02f8…
Size
2.9 MB
Last updated
4 days ago
docker pull redemonbr/podman-steroids:sha256-f55eadec4bd966af7ee895c11736914bfedbc40dad89fdb0f598e3b1611a76ca.sbom