Podman, systemd container management, buildah, skopeo, and container networking on RHEL 10.
RHEL 10 ships with Podman as the default container engine (no daemon required). It supports Docker-compatible CLI, rootless containers, and systemd integration.
RHEL 10 container changes: slirp4netns is deprecated in favor of pasta; CNI backend and runc have been removed. Podman now uses crun as the default runtime.
# Install Podman tools
sudo dnf install -y podman buildah skopeo
# Run a container
podman run -d --name web -p 8080:80 nginx:latest
# Rootless containers (no sudo needed)
podman run -it fedora bash# Generate a systemd unit from a running container
podman generate systemd --new --name web --files --restart-policy=on-failure
# Move unit to systemd user directory
mv container-web.service ~/.config/systemd/user/
systemctl --user daemon-reload
systemctl --user enable --now container-web.service
# Container auto-starts on boot with the user session
loginctl enable-linger $USER# Build from a Containerfile
buildah bud -t myapp:latest .
# Or use podman build (wrapper around buildah)
podman build -t myapp:latest .
# Example Containerfile
# FROM registry.access.redhat.com/ubi10/ubi-minimal
# RUN dnf install -y httpd && dnf clean all
# COPY index.html /var/www/html/
# EXPOSE 80
# CMD ["httpd", "-D", "FOREGROUND"]# Inspect an image without pulling
skopeo inspect docker://docker.io/library/nginx:latest
# Copy between registries
skopeo copy docker://docker.io/library/nginx:latest docker://myregistry.example.com/nginx:latest
# Copy to local OCI archive
skopeo copy docker://docker.io/library/nginx:latest oci:nginx-archive:latest
# Signature verification
skopeo copy --signature-policy /path/to/policy.json docker://src docker://dest# Create a named volume
podman volume create mydata
# Use a volume
podman run -d --name app -v mydata:/data myapp
# Inspect volume location
podman volume inspect mydata
# Bind mount (host directory)
podman run -d --name web -v /srv/www:/usr/share/nginx/html:ro nginx:latest# List networks
podman network ls
# Create a custom network
podman network create mynet
# Connect containers
podman run -d --name app1 --network mynet myapp
podman run -d --name app2 --network mynet myapp
# Containers can reach each other by name
podman exec app1 ping app2# Create a pod
podman pod create --name webstack -p 80:80 -p 443:443
# Add containers to the pod
podman run -d --pod webstack --name nginx nginx:latest
podman run -d --pod webstack --name php php:8-fpm
# All containers in a pod share network namespace
podman pod ps# Run unprivileged (rootless)
podman run -d --name app myapp
# Drop capabilities
podman run --cap-drop ALL --cap-add NET_BIND_SERVICE myapp
# Read-only root filesystem
podman run --read-only --tmpfs /tmp myapp
# Seccomp profile
podman run --security-opt seccomp=/path/to/seccomp.json myapp