 So, I'm starting. So, hello everybody and thank you for joining this session today with me about Ponman. It will be an introduction of Ponman. And before to start, I would like to do, I would like to say an important fact. So, it's not a comparison. I will not do a comparison between Docker or Ponman. The two products is very nice. I used on the past a lot of Docker. It's nice. So, no, this shares the same DNA. It's open source. So, no war between products. Docker, it's nice product. But it's a bit, what? So, hello everybody. My name is Pierre Blanc. I come from Red Hat. I'm software engineer and I live in Canada. So, I think this one, this would be very useful next month. On the last open source submit session, we already have some presentation of Ponman. But they were more about by developer or architect. It's not the case on mine. I'm not a developer of the product itself, but more user. I'm using it every day. I'm using also a lot of Ponman and Kubernetes. And my job is to work with partners to help them to own the container journey. So, sometimes they are using virtual machines. Sometimes they are still using bar metal. So, my goal is to help them to understand what's the containerization and how to use it. My target is to use Kubernetes, so container orchestrator. So, I already did this kind of presentation for a partner. It will be about the capacities of Ponman. So, I will start with a very short introduction on what is Ponman, why we have Ponman when it's released. Then we will see how to use it with command line demo. And I will continue to explain what's the nice feature of Ponman and the quick introduction of the ecosystem. And I will finish with the conclusion and questions. So, let's define first what is Ponman, why it exists, and how it works. So, Ponman is a container compliance OCI. But Ponman is not only a container manager. It's also a pod manager. So, introduced by Kubernetes, a pod is a group of container deployed for a common purpose. Ponman is also secured by design. We have a specific section of security inside this presentation that explains what is rootless, demandless, Linux capabilities and more. Of course, Ponman is open source as all the other products that Red Hat supports. And it's a multi-platform. So, when we speak about container or Docker container, what is this? It's a Linux container. So, it's very easy to start a container on the host, on Linux host or on Linux server or Linux laptop. But when we want to spawn a container on Windows or Mac OS, it's not the same. So, Ponman creates a layer between the host and itself to be able to run container inside this kind of operating system. With Ponman, we have also a very rich ecosystem with a lot of available image or a lot of tools to manage and interact with registry, create image and container. So, we see what is Ponman now, why we have Ponman. So, the goal of the Ponman, initial goal was to create and offer a way to test Cryo. Cryo, it's a run time for Kubernetes. So, that explains why Ponman is very close of Kubernetes. The goal was to offer a secure project and a way to manage easy pod in a local environment. So, of course, Ponman is compliant with OCI for container and images and it fully integrates a lot of features that we can find in Fedora and CentOS operating system base like SystemD, SELinux integration. But before to speak about Ponman, I would like to show you a very short story of the short story of open source container since the beginning. So, this list is not exhaustive, of course. We have a lot of different projects and products between each date. But for me, it's important. It's the most important for me. So, everything started with chute. So, it's here from the beginning. It's on the coroutil from 1996. Then, we have Linux Vserver, OpenVz. So, it's a real first container. And in 2008, Cgroup was merged on the kernel and it's in the years also, the year of LXC. So, from this date, we have the first full manage and container that works out of the box. In 2013, Docker creates, it's a very huge ecosystem about container. So, it facilitates the user to use container. So, I think at this date, more and more users switch to container. So, thanks again, Docker. And Kubernetes was released in 2014. So, we provide a framework to run a distributed system with resilience. It takes care of scaling or fell over for your application. So, a nice date. And in 2017, finally, we have Ponman. So, the story of container is long. It's not a new thing. And we have a lot of different projects and products that it contributes to the containerization environment. So, for Ponman, the first commit dates to 2017. So, five years already. And the first release in 2018. I found more than 120 releases on the Git repository if I exclude the release candidate. And the last version is the 4.2.1. It just released this month. So, we saw what is Ponman, why we are Ponman. Now, let's check how it's work. So, it's a very simple schema. We have the OCI engine that talk with the OCI runtime that finally talk to the Linux kernel. So, it's very important. The OCI is very important. So, we have OCI every time. And OCI, it's open container initiative. It's Linux foundation project. And it provides OCI specification, standard about container. So, we have runtime specification. We have distribution specification. We have image specification. And all this specification are very important because one box can easily communicate with another. And if you build your image with Ponman, it will work on Docker. It will work on Kubernetes because all this project follows the OCI specification. For OCI engine, we have Ponman, but we can also have Docker. For OCI runtime, we have RunC, but you have also CRUN. So, you have a lot of different projects for each box. And you have to choose which one is the best for you regarding to your case. So, before to finish your introduction, I would like to add a very short word about images. So, they are very important because all the containers are based on one image. They must follow the OCI specification. They use layers. So, when you build an image, you just have to take a public one and add your stuff on it. The recipe to build an image is very simple. It's a plain text file. And it's understandable. An image is just a tar, finally, with all the files of the file system of the image. And the image is distributed by Registry. So, it is an introduction. Now, I think you have a better view of what is Ponman. And the next step is to use it. So, I will go through all the major behavior of Ponman. So, the first topic is the images, how to manage that. Then, we will create a container and interact with it. We'll see volume and we will finish with the pod. So, how to create pod, how to use a pod in Ponman. So, to use Ponman, you have the Ponman command. And it's very similar to the Docker command. So, all the options that you have in Docker, you have it in Docker. All the options that you have in Docker, you have it in Ponman. So, if you are a Docker user, you are not lost. Some guys also create alias to continue to do the Docker command, but they use in the back end the Ponman. So, I said almost all Docker command is compatible with Ponman. Only one is not compatible is Docker swarm, because Ponman chooses Kubernetes as the orchestrator of containers. So, let's start to image. When you want to manage and use the image with Ponman, you have the Ponman images command. You have also a lot of short command. So, you have Ponman image, to do a Ponman image list. You have Ponman pool, et cetera. All the interactions that you can have with the image is often with the registry. So, an image registry, it's a bucket. And on this bucket, you have a lot of images. So, all cloud providers provide their own registry. So, Google have one, Azure, Amazon have one, too. In my case, I'm using a lot of docker.io and quid.io, because they are public and free. But it exists a lot of solutions. You can also install your own registry in your infrastructure. And it can be based on the open source project. So, let's do the demo. I don't know if everybody see my screen. So, what I have, I'm doing Ponman images to see all the image on my local server. I have nothing. So, I don't have the same thing between the screen. So, I'm doing Ponman images. I have nothing. I can get an image with Ponman image pool. So, on this example, I'm getting the Alpine image. And after that, I can see that I have my image on my environment with Ponman image list or Ponman images. So, I have another demo. It's to interact with a registry. So, with Ponman, we have a feature to do that. We will see on the next of the presentation, we have another project. That's the name is Coscopio, that we have better integration with registry. But on this example, I'm just doing a Ponman image search with the name of the image that I want to search on the registry. In my case, I test with Alpine. So, I have a lot of image with Alpine. And I have a filter to get only the official image of Alpine. So, with a filter is official. And with that, I will get only one result because only one is official. It is this one and can pool this one if I want. I also have an option, it's format json. So, this option is available for all the Ponman command. With this, we can get results on json of the command. So, it can be useful if you want to parse it or if you want to get and have more information about the image. About the life cycle. So, now we will see how to create a container, how to release the container, how to stop and restart the container. So, it's a Ponman container command. And you also have a shortcut like Ponman run, Ponman PS, etc. So, yes. On this example, I will create a container. So, first, I'm checking if I have some container running on my server. So, I have nothing. Now, I'm checking if I can access to the port 8080 of my server. It's not, I have nothing on the port. So, I'm running a container. With the option P, it's just for forward the port. So, the port 8080 of my local server will go to the port 80 of my container. So, I'm executing the command to run the container. And now I have my container is running. And if I curl again, I will see something. So, let's speak a bit about volumes. So, with Ponman, like with Docker, you can move volume inside your container. So, to do that, you have the option Dash V. And you have also the way to create a named volume. Something is very important here. It's S Linux. So, a lot of people desactivate S Linux. So, I know that. And I think on this room, maybe somebody deactivated it. And S Linux is not complicated. So, 80% or 90% of the issues that you can have in S Linux can be fixed with the command S manage. So, with S manage, you can modify the context of the file of the unit. And you really, you can fix all the issues almost with that. So, S Linux provide additional layer of security for your system. So, it's a good thing. So, think about that. Maybe you can, and it can be a nice idea to reactivate S Linux. And Ponman, with Ponman, you can easily manage S Linux issue or configuration. So, I will show you that. So, on this example, I will create a container and I will move a directory to modify the index.html. So, I have an index.html in my local environment. So, I use the Dash V directory. So, it's a source to the destination of my, on my container, user, share, and Nix. And at the end, I put the option Z. And with the Z, it will re-label your directory. And with this, S Linux will work perfectly. So, now, I'm going on the port 8080 and I have my new index that it shows. User dependent. So, I go through a lot of features, but this one is very important. Because when you're connected on server with Ponman, each user can have its own container. So, you don't need a special configuration. You just have to connect to the server with my user and start to play with Ponman. All the images, all the container will be stored on my home directory. I don't need to be a root. I don't need to be a part of the group. It will work out of the box. And for example, so, on this example, I have a container that is run in the root user. So, I'm just waiting a bit because it is the end of the demo. So, on this demo, I will run two containers, one by the root and one by a normal user. And we will see that user not see a container of other user. So, I activated the S Linux. So, it's on force. I'm checking if I have something of the power 80. So, yes, I have something because just before, I run a container with root. So, if I sudo ponman ps, I will see the container that is start by the root user. Now, if I check the image that the root user have, I can see I have one image. One image. Now, I don't use the sudo command. I just use ponman images. And I can see the image are different because each user have his own image and his own container. So, I can see that ponman ps. So, I don't have any container running with a normal user. So, I will just start a new container with a normal user. And on this example, I have container that's running with root and other with my normal user. So, it's just an example. And I run with root, but I can run multiple container with multiple user. No limit. We don't have any limit with that. And let's check now the pods. So, as I said, pods is the group of containers. They are using for the common purpose. So, it can be an application. On your application, you can have, for example, a back end, front end or multiple front end, etc. Everything can be group on the pod. And if you want to stop your pod, your application, it will stop all the container of the pod. If you want to clone your application, if you are, for example, on your application 10 container, you want to clone it to application 2. You have a command to that. And it will clone very easily all the container inside the pod. So, to manage the pod, it's pod-mad-pod. It's not complicated. So, on this example, what I will do, I will create a pod, put two containers inside, and do some life cycle and see what's happened. So, let's check first if I have something in the pod 8080. So, I have nothing because no container are running. I'm creating a new container and add the option dash-pod. With the dash-pod, I put new column app. So, it will create a new pod. The name would be app. On this new app pod, I create a container for the website. And I create another. So, I put the dash-pod with the app. I put a new container. It will be the database. So, on my pod, now I have two containers. One for web, other for database. So, if I pod-man-ps, or pod-ps, I will see my pod. And on my pod, I have three containers just here. Three containers because I always have one container to manage the pod. So, if I pod-man-ps, I will see the three containers, the HTTP container, the MariaDB container, and the pod container. Now, if I stop my application, it will stop all my container. If I start my application, again, it will start all my container. So, it is a way to manage the pod in pod-man. Of course, we have other way. We have an import and export feature that I will explain when I will explain what's the connection that we have between pod-man and Kubernetes. So, on this section, I will speak about what is the big feature that we have in pod-man and what is interesting. So, I will speak about the security. I will speak about Linux capability as Linux. I will give you a short introduction of the ecosystem of pod-man. And we will see what is the possibility that we have with pod-man and Kubernetes. So, pod-man is rootless. So, you don't have to give, sorry, a special right to your user. As I showed just before, you just need a login on the server and you can start to run a container. No group are needed. And nothing is run on root. So, it reduces the possibility to hack your system, finally. All the containers are owned by the user and nothing is owned by root. So, pod-man is also demo-less. So, you don't have a single point of failure. You don't have a demo that manages all the containers. And every time that you create a new container, it just creates a new process. And you use on-demand because you don't have a demo. It's demo-less. If, for example, you upgrade your system and if you upgrade pod-man, it will not stop all your container because each container has its own process. About security. So, because it's rootless and demo-less, a lot of it's increased a lot of security of the container manager because they reduce the root usage. About SLNUX. For me, it should be always activate. It's add a layer of security. It's very nice. And we have also a project that the name is Udica. And it can help you to manage the SLNUX rule for your container. If, for example, you have a very complex container or pod, you can run Udica for the running container. It will create a lot of rule SLNUX module. And you can use this module for this in local or you can also put in the other server to load with SLNUX manage and some module. We also have Linux capabilities. So, Linux capabilities can limit the power of the super user. On the Linux kernel, the Linux kernel splits the privilege of fruit, sorry, the super user in different units. And this unit, it's Linux capabilities. And because Ponman is rootless, even if you use a dash-dash privilege, the container will never use and will never have access to the host in a root mode. SecComp. Now, you have. So, SecComp is used to filter the syscall of the system. So, fewer the syscall is available and smaller the attack the surface is. So, it's very interesting also for the security. And by default, Ponman dropped many syscalls, but we have options to drop many more. And I put the two links because there are very interesting links about all the security around Ponman as they give you a lot of example and how it works in deep. How about the ecosystem? So, we have Builda. Builda is a tool. So, you have Ponman, Builda, Udica, as I said, to SLE News. We have Builda to build the image. So, you can build the image with Ponman build, but we have a special tool and it adds some nice features. For example, you can build your image with your Docker file. But with Builda, it's also you to access to the interactive mode. So, you load your image, you can modify it and create an image with your modification. So, it's very easy to modify and debug an image if you have issues with the image. Or if you want to test a specific thing or an image, you just have to load it and start to play with it. Scopeo. Scopeo, it's part of the ecosystem of Ponman. It's a tool to copy container. So, you can take a container from a registry and move it or duplicate it in another registry. You can use it also to sync multiple registry. You can also do it some action on the registry like pushing or just delete images. And you also can inspect container. So, it can give you a lot of information of one image on a registry. And finally, the connection between Ponman and Kubernetes is done by two processes, import and export. So, for the import, if you have your Kubernetes file, you can import it on Ponman and it will recreate everything on your local server. So, if you have a pod, it will create pod, it will create container inside, it will create everything. So, it is very nice if you want to test a container, a Kubernetes file on your local environment, if you want to do some action and see what's happened before to export it in the Kubernetes cluster, you can test it locally before. And it is an import feature. And the export feature is the same way in the other way. So, you can do all the infrastructure on your local environment. You can create your pod, create your container that you put inside your pod, etc. And when you are done, you just have to export to Kubernetes and it will create a file that you will be able to use on your Kubernetes cluster. So, it's very interesting. About the bonus, Ponman, with Ponman, you can also manage virtual machine. So, it's a light way to to use virtual machine, but when you want to create a container on macOS or on Windows, it will create the virtual machine and spawn the container inside. But you can also create this virtual machine on your Linux server or Linux laptop. And the virtual machine is interesting because it's a CoreOS. So, it will create the CoreOS. CoreOS, it's an immutable operating system. So, it's a perfect operating system to run a container. And you can play with it. It also supports Ignition file. So, with the initial file, you can modify and configure the CoreOS operating system that with this, it can be matched with what you need to test. So, I've already used it on the past. It's an interesting feature. And if you like the UI, you also have a Ponman desktop. So, Ponman desktop, it's an interface. And on this interface, you will see all the container, all your image. You can interact with them. You can access to the log easily. You can directly go to the console of the container. And you also have a way to manage your registry, manage image, a lot of nice features. So, if you like graphical interface, Ponman desktop, it's nice. For more information, so, we have Dan Walsh. It's, for me, the master of Ponman presentation. He did a lot of presentation. This website is just here. On this website, of this website, you have a lot of resources about Ponman, about ecosystem, and about security. So, it's really a gold mine. And you can also access to all the last presentations that he did about Ponman. It's a very, very nice presentation. And he also published some few weeks ago. Amazing, amazing book. So, with a lot of example, it's very well documented. Dan Walsh, it's one of the core developers of Ponman since the beginning. So, that's why he knows very well the project. And on his book, you also have a comparison, very deep comparison between Docker and Ponman, if you are interested. So, for the conclusion, after five years of development, Ponman is definitely ready to be used. It's secure out of the box. The integration with Kubernetes is very good. On my day-to-day job, I'm working with partners. They are using Fedora, CentOS, Rural Distribution. And they are very happy that in Ponman, you can use Systemday and you can use Solinux without issue. So, if you are using this kind of technology, it can be a nice project for you, Ponman. And the integration with Kubernetes, it's amazing. It's very easy to test some play or before to put everything in the Kubernetes cluster. You can test it very easily locally. Thank you for your time. I'm just finished. So, if you have questions, go ahead. And if not, it's time to eat, I think. No question? I hope it's not a question about Docker. Hi. Thanks for the talk. It has something else related to Docker. On Docker, you can configure the login driver at the demo level in the Demon Config file or as a flag when you do a Docker run. Is there any workaround for Ponman to enable the logs? So, on Docker, you can configure the Docker, the login driver on a demo file or as a flag during the Docker run command. Is there any workaround for Ponman to disable or enable the logs for the containers? I see. It's a bit different in Ponman because we don't have a centralized demo. So, you cannot have a way to modify the log on all the containers because each user has its own log, finally. Okay. Thanks. Thank you for your question. No other question? Perfect. So, thank you again and have a nice lunch.