在无根环境中基本设置和使用Podman
安装podmen
[root@localhostl ~]# yum -y remove docker-ce [root@localhostl ~]# yum -y install podman [root@localhostl ~]# cd /etc/containers/ [root@localhostl containers]# cp registries.conf{,-origin} [root@localhostl containers]# rm -f registries.conf [root@localhostl containers]# vim registries.conf unqualified-search-registries = ["docker.io"] [[registry]] prefix = "" location = "xxxx.mirror.aliyuncs.com"
安装必要环境
//cgroups V2支持 [root@localhostl ~]# yum -y install crun [root@localhostl ~]# cd /usr/share/containers/ [root@localhostl containers]# vim containers.conf # runtime = "runc" //取消注释再改成crun //安装slirp4netns包 [root@localhostl ~]# yum install slirp4netns //安装fuse-overlayfs包,版本至少要0.7.6 [root@localhostl ~]# yum -y install fuse-overlayfs [root@localhostl ~]# rpm -qa|grep fuse-overlayfs fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41.x86_64 [root@localhostl ~]# cd /etc/containers/ [root@localhostl containers]# vim storage.conf # Default Storage Driver driver = "overlay" //确保是overlay # Path to an helper program to use for mounting the file system instead of mounting it # directly. #mount_program = "/usr/bin/fuse-overlayfs" //取消注释
如果更新/etc/subuid或/etc/subgid文件,则需要停止用户拥有的所有正在运行的容器,并终止该用户在系统上运行的暂停进程。这可以通过使用podman system migrate
[root@localhostl containers]# cat /etc/subuid tom:100000:65536 jerry:165536:65536 [root@localhostl containers]# cat /etc/subgid tom:100000:65536 jerry:165536:65536
使用普通用户来使用podman创建容器
[root@localhostl ~]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/nginx latest 35c43ace9216 2 weeks ago 137 MB docker.io/library/centos latest 300e315adb2f 3 months ago 217 MB [root@localhostl ~]# useradd jerry [root@localhostl ~]# su - jerry [jerry@localhostl ~]$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE //root用户和普通用户拉的镜像不是放在同一位置,普通用户和root用户启动的容器名称可以相同。 [jerry@localhostl ~]$ podman pull busybox [jerry@localhostl ~]$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/busybox latest a9d583973f65 12 hours ago 1.45 MB [root@localhostl ~]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/nginx latest 35c43ace9216 2 weeks ago 137 MB docker.io/library/centos latest 300e315adb2f 3 months ago 217 MB [jerry@localhostl ~]$ podman pull nginx //普通用户创建容器映射端口时,要么进入/etc/sysctl.conf改配置文件,要么选一个大于等于1024的端口号 [root@localhostl ~]# vim /etc/sysctl.conf net.ipv4.ip_unprivileged_port_start=80 //加入这一行 [root@localhostl ~]# sysctl -p net.ipv4.ip_forward = 1 net.ipv4.ip_unprivileged_port_start = 80 [jerry@localhostl ~]$ podman run -d --name web2 -p 80:80 nginx [jerry@localhostl ~]$ ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 *:80 *:* LISTEN 0 128 [::]:22 [::]:*
使用普通用户创建容器会发现容器内容器外UID不一致
[jerry@localhostl ~]$ whoami jerry [jerry@localhostl ~]$ podman run -it --rm -v /home/jerry/test:/data busybox /bin/sh / # cd data/ /data # touch abc /data # ls -l total 0 -rw-r--r-- 1 root root 0 Mar 10 10:54 abc /data # exit [jerry@localhostl ~]$ cd test/ [jerry@localhostl test]$ ll -h total 0 -rw-r--r--. 1 jerry jerry 0 Mar 10 18:54 abc
为了使UID保持一致,可以使用--userns=keep-id命令
[jerry@localhostl ~]$ podman run -it --rm --userns keep-id -v /home/jerry/test:/data busybox /bin/sh ~ $ id uid=1001(jerry) gid=1001(jerry) groups=10(wheel) ~ $ cd data/ /data $ ls -l total 0 -rw-r--r-- 1 jerry jerry 0 Mar 10 10:54 abc /data $