Podman
安装
//安装podman
[root@localhost ~]# yum -y install podman
[root@localhost ~]# podman info
host:
arch: amd64
buildahVersion: 1.18.0
cgroupManager: systemd
cgroupVersion: v1
conmon:
package: conmon-2.0.22-3.module_el8.3.0+699+d61d9c41.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.0.22, commit: 01898f0a68e4bf403cba544b87ecd260545ae25a'
cpus: 1
distribution:
distribution: '"rhel"'
version: "8.0"
eventLogger: file
hostname: localhost.localdomain
idMappings:
gidmap: null
uidmap: null
kernel: 4.18.0-80.el8.x86_64
linkmode: dynamic
memFree: 931704832
memTotal: 1893818368
ociRuntime:
name: runc
package: runc-1.0.0-70.rc92.module_el8.3.0+699+d61d9c41.x86_64
path: /usr/bin/runc
version: 'runc version spec: 1.0.2-dev'
os: linux
remoteSocket:
path: /run/podman/podman.sock
rootless: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 2147479552
swapTotal: 2147479552
uptime: 34m 0.25s
registries:
search:
- registry.access.redhat.com
- registry.redhat.io
- docker.io
store:
configFile: /etc/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions:
overlay.mountopt: nodev,metacopy=on
graphRoot: /var/lib/containers/storage
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "true"
imageStore:
number: 0
runRoot: /var/run/containers/storage
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: "2"
Built: 1613969495
BuiltTime: Mon Feb 22 12:51:35 2021
GitCommit: ""
GoVersion: go1.14.12
OsArch: linux/amd64
Version: 2.2.1
配置加速器
//备份配置文件
[root@localhost ~]# cd /etc/containers/
[root@localhost containers]# ls
certs.d oci policy.json registries.conf registries.d storage.conf
[root@localhost containers]# mv registries.conf registries.conf.tmpl
//新建一个空的registries.conf文件,并进行配置
[root@localhost containers]# vim registries.conf
unqualified-search-registries = ["docker.io"]
[[registry]]
prefix = ""
location= "******.mirror.aliyuncs.com" #这里填写自己的加速器
podman基础命令应用
//使用pull命令拉网上的镜像,不加版本默认为最新
[root@localhost ~]# podman pull busybox
Completed short name "busybox" with unqualified-search registries (origin: /etc/containers/registries.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 8b3d7e226fab done
Copying config a9d583973f done
Writing manifest to image destination
Storing signatures
a9d583973f65a19b3bbd7a4312b4e2c27712c44c0ed8b94e9a38cc73e7565b75
//需要指定版本要使用:加指定版本
[root@localhost ~]# podman pull httpd:2.4-alpine
Completed short name "httpd" with unqualified-search registries (origin: /etc/containers/registries.conf)
Trying to pull docker.io/library/httpd:2.4-alpine...
Getting image source signatures
Copying blob d632c8441234 done
Copying blob 0fcb24848396 done
Copying blob f84cab65f19f done
Copying blob 3e84dc11ea39 done
Copying blob 87259b7246e5 done
Copying config 40841bcea4 done
Writing manifest to image destination
Storing signatures
40841bcea476b7411a163009cb256251aa3830efab8f07a689f52258f145ca48
//使用images查看本地的镜像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest a9d583973f65 17 hours ago 1.45 MB
//使用images查看本地的镜像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest a9d583973f65 11 hours ago 1.45 MB
docker.io/library/httpd 2.4-alpine 40841bcea476 13 days ago 57.8 MB
//使用search命令查找网上的镜像httpd
[root@localhost ~]# podman search httpd
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/httpd The Apache HTTP Server Project 3399 [OK]
docker.io docker.io/centos/httpd-24-centos7 Platform for running Apache httpd 2.4 or bui... 36
docker.io docker.io/manageiq/httpd Container with httpd, built on CentOS for Ma... 0 [OK]
docker.io docker.io/clearlinux/httpd httpd HyperText Transfer Protocol (HTTP) ser... 1
......
//使用create在一个镜像中创建容器
[root@localhost ~]# podman create httpd:2.4-alpine
7edbc6af5cdcea46a25ea42353cb689845653727bf40eefb12eaa498ef4e5f2b
//使用ps -a查看所有的容器
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7edbc6af5cdc docker.io/library/httpd:2.4-alpine httpd-foreground 48 seconds ago Created beautiful_edison
//使用start使容器启动
[root@localhost ~]# podman start 7edbc6af5cdc
7edbc6af5cdc
//使用restart重启容器
[root@localhost ~]# podman restart 7edbc6af5cdc
7edbc6af5cdcea46a25ea42353cb689845653727bf40eefb12eaa498ef4e5f2b
//使用stop停止容器
[root@localhost ~]# podman stop 7edbc6af5cdc
7edbc6af5cdcea46a25ea42353cb689845653727bf40eefb12eaa498ef4e5f2b
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7edbc6af5cdc docker.io/library/httpd:2.4-alpine httpd-foreground 6 minutes ago Exited (0) 4 seconds ago beautiful_edison
//使用rm删除容器(删除时容器应处于停止状态,若容器还在运行则删除失败,可以使用rm -f强制删除)
[root@localhost ~]# podman rm 7edbc6af5cdc
7edbc6af5cdcea46a25ea42353cb689845653727bf40eefb12eaa498ef4e5f2b
[root@yqh ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
//使用run可以自动进行创建和运行容器(加上-d使其在后台运行)
[root@localhost ~]# podman run -d httpd
Completed short name "httpd" with unqualified-search registries (origin: /etc/containers/registries.conf)
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob 243acf75a504 done
Copying blob 45b42c59be33 done
Copying blob 8fc1ad93a9b1 done
Copying blob 83ac8490fcc3 done
Copying blob bdb2d204d86d done
Copying config 464fdc577e done
Writing manifest to image destination
Storing signatures
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.6. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.6. Set the 'ServerName' directive globally to suppress this message
[Wed Mar 10 08:47:56.661193 2021] [mpm_event:notice] [pid 1:tid 140400069350528] AH00489: Apache/2.4.46 (Unix) configured -- resuming normal operations
[Wed Mar 10 08:47:56.661319 2021] [core:notice] [pid 1:tid 140400069350528] AH00094: Command line: 'httpd -D FOREGROUND'
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1307c283b810 docker.io/library/httpd:latest httpd-foreground 23 seconds ago Up 23 seconds ago bold_bouman
//使用inspect查看容器的各种信息,比如IP
[root@localhost ~]# podman inspect 1307c283b810
"NetworkSettings": {
"EndpointID": "",
"Gateway": "10.88.0.1",
"IPAddress": "10.88.0.6",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "2e:8c:c7:9b:ac:cb",
"Bridge": "",
"SandboxID": "",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {},
"SandboxKey": "/var/run/netns/cni-ff472609-0748-aba8-b730-e68eeb4d9f3b"
},
//使用attach进入到容器的内部,但不能操作且退出时容器也会停止,不推荐使用。
[root@localhost ~]# podman attach 1307c283b810
(另开一个终端访问它)
[root@localhost ~]# curl 10.88.0.6
<html><body><h1>It works!</h1></body></html>
(内部出现访问信息)
10.88.0.1 - - [10/Mar/2021:09:59:12 +0000] "GET / HTTP/1.1" 200 45
(Ctrl+C终止容器运行)
^C[Wed Mar 10 09:59:20.064118 2021] [mpm_event:notice] [pid 1:tid 140400069350528] AH00491: caught SIGTERM, shutting down
//使用exec -it指定交互模式进入容器,比如/bin/bash或/bin/sh,由此可以实现操作且退出时容器不会停止
(需要先启动容器)
[root@localhost ~]# podman start 1307c283b810
1307c283b810
[root@localhost ~]# podman exec -it 1307c283b810 /bin/sh
# pwd
/usr/local/apache2
普通用户使用的配置
在允许没有root权限的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置。
详情见 Podman官方文档
创建普通用户
[root@localhost ~]# useradd yc
group V2支持
cgroup V2 Linux内核功能允许用户限制无根容器可以使用的资源量。如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,您可能必须切换到备用OCI运行时crun。
用于通过在系统级或在任一改变用于在containers.conf文件“默认OCI运行时”的值的所有命令用户级别从runtime = "runc"到runtime = "crun"。
//安装crun
[root@localhost ~]# yum -y install crun
//取消注释并修改成crun
[root@localhost ~]# vim /usr/share/containers/containers.conf
runtime = "crun"
//启动一个容器查看
[root@localhost ~]# podman run -d --rm --name web2 nginx
[root@localhost ~]# podman inspect web2|grep crun
"OCIRuntime": "crun",
"crun",
安装slirp4netns
提供用户模式网络,并且必须安装上才能使Podman在普通用户环境中运行
[root@localhost ~]# yum -y install slirp4netns
安装fuse-overlayfs
在普通用户环境下,建议使用fuse-overlayfs文件系统而不是VFS文件系统
[root@localhost ~]# yum -y install fuse-overlayfs
//确保配置文件如下
[root@localhost ~]# vim /etc/containers/storage.conf
[storage]
driver = "overlay"
······
mount_program = "/usr/bin/fuse-overlayfs" #取消注释
启用用户名称空间(RHEL7)
文件中指定了系统上允许的用户名称空间的数量/proc/sys/user/max_user_namespaces。在大多数Linux平台上,默认情况下是预设的,因此无需进行任何调整。但是,在RHEL7上,具有root权限的用户可能需要使用以下命令将其设置为合理的值: sysctl user.max_user_namespaces=15000
配置/etc/subuid和/etc/subgid
安装shadow或newuid
[root@localhost ~]# yum -y install shadow
[root@localhost ~]# yum -y install newuid
启用非特权ping
[root@localhost ~]# echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.ip_unprivileged_port_start = 80
使用普通用户启动nginx容器测试
//启动一个nginx容器
[yc@localhos ~]$ podman run -d --name web -p 80:80 nginx
ae9b8ef916baf09a92801b1f72e14df44a9253b6bb122348174058dabb3b15d1
[yc@localhos ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ae9b8ef916ba docker.io/library/nginx:latest nginx -g daemon o... 5 minutes ago Up 4 minutes ago 0.0.0.0:80->80/tcp web
[localhost@yc ~]$ ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
授权文件
- podman login和podman logout命令使用的默认授权文件位于中${XDG_RUNTIME_DIR}/containers/auth.json
//使用root用户登录官网
[root@localhost ~]# podman login
Username: yanchuang
Password:
Login Succeeded!
[root@localhost ~]# find / -name auth.json
/run/containers/0/auth.json
不用创建仓库推镜像至官网
[root@localhos ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest a9d583973f65 1 hours ago 1.45 MB
docker.io/library/nginx latest 35c43ace9216 1 hours ago 137 MB
docker.io/library/httpd latest 464fdc577ef4 1 hours ago 142 MB
//给busybox打上标签
[root@localhos ~]# podman tag docker.io/library/busybox:latest docker.io/baoziong/busybox:v0.1
//直接上传镜像
[root@localhos ~]# podman push docker.io/baoziong/busybox:v0.1
Getting image source signatures
Copying blob 2983725f2649 skipped: already exists
Copying config a9d583973f done
Writing manifest to image destination
Storing signatures