podmen

在无根环境中基本设置和使用Podman

安装podmen

[root@localhostl ~]# yum -y remove docker-ce
[root@localhostl ~]# yum -y install podman
[root@localhostl ~]# cd /etc/containers/
[root@localhostl containers]# cp registries.conf{,-origin}
[root@localhostl containers]# rm -f registries.conf
[root@localhostl containers]# vim registries.conf
unqualified-search-registries = ["docker.io"]

[[registry]]
prefix = ""
location = "xxxx.mirror.aliyuncs.com"

安装必要环境

//cgroups V2支持
[root@localhostl ~]# yum -y install crun
[root@localhostl ~]# cd /usr/share/containers/
[root@localhostl containers]# vim containers.conf 
# runtime = "runc"   //取消注释再改成crun

//安装slirp4netns包
[root@localhostl ~]# yum install slirp4netns

//安装fuse-overlayfs包，版本至少要0.7.6
[root@localhostl ~]# yum -y install fuse-overlayfs
[root@localhostl ~]# rpm -qa|grep fuse-overlayfs
fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41.x86_64

[root@localhostl ~]# cd /etc/containers/
[root@localhostl containers]# vim storage.conf 
# Default Storage Driver
driver = "overlay"     //确保是overlay

# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
#mount_program = "/usr/bin/fuse-overlayfs"    //取消注释

/etc/subuid 和/etc/subgid 配置

如果更新/etc/subuid或/etc/subgid文件，则需要停止用户拥有的所有正在运行的容器，并终止该用户在系统上运行的暂停进程。这可以通过使用podman system migrate命令，它将停止用户的所有容器，并将终止暂停进程。

[root@localhostl containers]# cat /etc/subuid
tom:100000:65536
jerry:165536:65536
[root@localhostl containers]# cat /etc/subgid
tom:100000:65536
jerry:165536:65536

使用普通用户来使用podman创建容器

[root@localhostl ~]# podman images
REPOSITORY                TAG     IMAGE ID      CREATED       SIZE
docker.io/library/nginx   latest  35c43ace9216  2 weeks ago   137 MB
docker.io/library/centos  latest  300e315adb2f  3 months ago  217 MB
[root@localhostl ~]# useradd jerry
[root@localhostl ~]# su - jerry
[jerry@localhostl ~]$ podman images
REPOSITORY  TAG     IMAGE ID  CREATED  SIZE
//root用户和普通用户拉的镜像不是放在同一位置，普通用户和root用户启动的容器名称可以相同。
[jerry@localhostl ~]$ podman pull busybox
[jerry@localhostl ~]$ podman images
REPOSITORY                 TAG     IMAGE ID      CREATED       SIZE
docker.io/library/busybox  latest  a9d583973f65  12 hours ago  1.45 MB
[root@localhostl ~]# podman images
REPOSITORY                TAG     IMAGE ID      CREATED       SIZE
docker.io/library/nginx   latest  35c43ace9216  2 weeks ago   137 MB
docker.io/library/centos  latest  300e315adb2f  3 months ago  217 MB
[jerry@localhostl ~]$ podman pull nginx
//普通用户创建容器映射端口时，要么进入/etc/sysctl.conf改配置文件，要么选一个大于等于1024的端口号
[root@localhostl ~]# vim /etc/sysctl.conf
net.ipv4.ip_unprivileged_port_start=80   //加入这一行
[root@localhostl ~]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.ip_unprivileged_port_start = 80
[jerry@localhostl ~]$ podman run -d --name web2 -p 80:80 nginx
[jerry@localhostl ~]$ ss -antl
State      Recv-Q      Send-Q           Local Address:Port           Peer Address:Port     
LISTEN     0           128                    0.0.0.0:22                  0.0.0.0:*        
LISTEN     0           128                          *:80                        *:*        
LISTEN     0           128                       [::]:22                     [::]:*    

使用普通用户创建容器会发现容器内容器外UID不一致

[jerry@localhostl ~]$ whoami
jerry
[jerry@localhostl ~]$ podman run -it --rm -v /home/jerry/test:/data busybox /bin/sh
/ # cd data/
/data # touch abc
/data # ls -l
total 0
-rw-r--r--    1 root     root             0 Mar 10 10:54 abc
/data # exit
[jerry@localhostl ~]$ cd test/
[jerry@localhostl test]$ ll -h
total 0
-rw-r--r--. 1 jerry jerry 0 Mar 10 18:54 abc

为了使UID保持一致，可以使用--userns=keep-id命令

[jerry@localhostl ~]$ podman run -it --rm --userns keep-id -v /home/jerry/test:/data busybox /bin/sh
~ $ id
uid=1001(jerry) gid=1001(jerry) groups=10(wheel)
~ $ cd data/
/data $ ls -l
total 0
-rw-r--r--    1 jerry    jerry            0 Mar 10 10:54 abc
/data $