podman命令使用和用户配置
什么是Podman?
详情见:什么是Podman?
Podman可以替换Docker中了大多数子命令(RUN,PUSH,PULL等)。Podman不需要守护进程,而是使用用户命名空间来模拟容器中的root,无需连接到具有root权限的套接字保证容器的体系安全。
Podman专注于维护和修改OCI镜像的所有命令和功能,例如拉动和标记。它还允许我们创建,运行和维护从这些图像创建的容器。
Podman 可以管理和运行任何符合 OCI(Open Container Initiative)规范的容器和容器镜像。Podman 提供了一个与 Docker 兼容的命令行前端来管理 Docker 镜像。
-
Podman 官网地址:https://podman.io/
-
Podman 项目地址:https://github.com/containers/libpod
PODMAN主要由红帽发起和推动,是下一代的容器技术,包括如下三个模块:Podman,Skopeo和Buildah
这三个工具都是符合OCI计划下的工具(github/containers)。主要是由RedHat推动的,他们配合可以完成Docker所有的功能,而且不需要守护程序或访问有root权限的组,更加安全可靠,是下一代容器容器工具。
Podman 是一个开源的容器运行时项目,可在大多数 Linux 平台上使用。Podman 提供与 Docker 非常相似的功能。正如前面提到的那样,它不需要在你的系统上运行任何守护进程,并且它也可以在没有 root 权限的情况下运行。
Podman 和docker不同之处?
-
docker 需要在我们的系统上运行一个守护进程(docker daemon),而podman 不需要
-
启动容器的方式不同:
docker cli命令通过API跟Docker Engine(引擎)交互告诉它我想创建一个container,然后docker Engine才会调用OCI container runtime(runc)来启动一个container。这代表container的process(进程)不会是Docker CLI的child process(子进程),而是Docker Engine的child process。Podman是直接给OCI containner runtime(runc)进行交互来创建container的,所以container process直接是podman的child process。 -
因为docke有docker daemon,所以docker启动的容器支持
--restart策略,但是podman不支持,如果在k8s中就不存在这个问题,我们可以设置pod的重启策略,在系统中我们可以采用编写systemd服务来完成自启动 -
docker需要使用root用户来创建容器,但是podman不需要
Podman安装和配置加速器
安装Podman
[root@localhost yum.repos.d]# yum -y install podman
Updating Subscription Management repositories.
warning: /var/cache/dnf/base-43708d1174dbbac2/packages/checkpolicy-2.9-1.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 8483c65d: NOKEY
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-libsemanage-2.9-2.el8.x86_64 1/22
Verifying : podman-2.2.1-7.module_el8.3.0+699+d61d9c41.x86_64 17/22
Verifying : podman-catatonit-2.2.1-7.module_el8.3.0+699+d61d9c41.x 18/22
Verifying : protobuf-c-1.3.0-4.el8.x86_64 19/22
Complete!
Podman别名
//别名为docker
[root@localhost ~]# alias docker=podman
//确认没有装docker
[root@localhost ~]# rpm -qa|grep docker
//可以使用“docker”命令
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 35c43ace9216 2 weeks ago 137 MB
配置加速器
加速器的获取,详情见:Docker的基本用法
//备份文件
[root@localhost ~]# cd /etc/containers/
[root@localhost containers]# ls
certs.d oci policy.json registries.conf registries.d storage.conf
[root@localhost containers]# mv registries.conf registries.conf-origin
[root@localhost containers]# ls
certs.d policy.json registries.conf-origin storage.conf
oci registries.conf registries.d
//配置文件
#prefix后面可以不跟配置,加速器使用的是自己的阿里云加速器
[root@localhost containers]# vim registries.conf
unqualified-search-registries = ["docker.io"]
[[registry]]
prefix = "docker.io"
location = "zyva0762.mirror.aliyuncs.com"
Podman基本命令
- podman search 在官网搜索镜像
[root@localhost ~]# podman search nginx
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/nginx Official build of Nginx. 14547 [OK]
docker.io docker.io/jwilder/nginx-proxy Automated Nginx reverse proxy for docker con... 1982 [OK]
docker.io docker.io/bitnami/nginx Bitnami nginx Docker Image 94 [OK]
- podman pull 下载官网的镜像,不加版本号默认下载最新版本
[root@localhost ~]# podman pull nginx
Completed short name "nginx" with unqualified-search registries (origin: /etc/containers/registries.conf)
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 19e2441aeeab done
Copying blob 8acc495f1d91 done
Copying blob f5a38c5f8d4e done
Copying blob 45b42c59be33 [======================================] 25.8MiB / 25.8MiB
Copying blob ec3bd7de90d7 done
Copying blob 83500d851118 done
Copying config 35c43ace92 done
Writing manifest to image destination
Storing signatures
35c43ace9216212c0f0e546a65eec93fa9fc8e96b25880ee222b7ed2ca1d2151
- podman images 查看有哪些镜像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 35c43ace9216 2 weeks ago 137 MB
- podman create 创建一个容器
#第一种方式
[root@localhost ~]# podman create docker.io/library/nginx
6c491585fba9de855e425571b919c3bc33bbe2bd7d43097979fc0cd63864297b
#第二种方式
[root@localhost ~]# podman create nginx
19a2b985132f269556bdfb9b0772e090e25f6fbf16948a08de4867a7b14c011c
- podman ps 查看正在运行的容器;-a 表示所有的容器
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
19a2b985132f docker.io/library/nginx:latest nginx -g daemon o... 22 seconds ago Created romantic_saha
6c491585fba9 docker.io/library/nginx nginx -g daemon o... 29 seconds ago Created elegant_elion
- podman start 启动容器
[root@localhost ~]# podman start 79c842403792
79c842403792
#查看正在运行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
79c842403792 docker.io/library/nginx:latest nginx -g daemon o... 50 seconds ago Up 22 seconds ago vigorous_newton
- podman stop 停止容器运行
[root@localhost ~]# podman stop 79c842403792
79c8424037921370db4b12473dac4d5f5a899d5bd0deb510743d4e7fe6a07839
#查看正在运行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
- podman restart 重启容器
[root@localhost ~]# podman restart 79c842403792
79c8424037921370db4b12473dac4d5f5a899d5bd0deb510743d4e7fe6a07839
#查看正在运行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
79c842403792 docker.io/library/nginx:latest nginx -g daemon o... 5 minutes ago Up 3 seconds ago vigorous_newton
- podman rm 删除一个容器,不能删除正在运行的容器;-f可以删除正在运行的容器;rmi删除镜像
#查看正在运行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
79c842403792 docker.io/library/nginx:latest nginx -g daemon o... 6 minutes ago Up About a minute ago vigorous_newton
#删除容器报错
[root@localhost ~]# podman rm 79c842403792
Error: cannot remove container 79c8424037921370db4b12473dac4d5f5a899d5bd0deb510743d4e7fe6a07839 as it is running - running or paused containers cannot be removed without force: container state improper
#强制删除
[root@localhost ~]# podman rm -f 79c842403792
79c8424037921370db4b12473dac4d5f5a899d5bd0deb510743d4e7fe6a07839
#停止运行
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
- podman run 直接运行一个容器;-d在后台运行
#运行一个容器
[root@localhost ~]# podman run nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
#打开新终端,查看正在运行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1a2defb333e2 docker.io/library/nginx:latest nginx -g daemon o... 23 seconds ago Up 23 seconds ago dazzling_perlman
#-d在后台运行
[root@localhost ~]# podman run -d nginx
966417eedde4e21a7216a7a5126069431fa0e5f3bd0abdea6d94a16520acd24e
- podman logs 查看容器日志
[root@localhost ~]# podman logs 966417eedde4
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
#在一台终端上访问IP
[root@localhost ~]# curl 10.88.0.5
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
#日志已更新
[root@localhost ~]# podman logs 966417eedde4
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
10.88.0.1 - - [10/Mar/2021:11:11:01 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.61.1" "-"
- podman inspect 查看容器的各种信息
[root@localhost ~]# podman inspect 966417eedde4
#查看IP
"EndpointID": "",
"Gateway": "10.88.0.1",
"IPAddress": "10.88.0.5",
"IPPrefixLen": 16,
- podman attach 进入到容器的同一个位置,执行操作的时候,另外一边的终端里的容器也会显示同样操作,类似”镜像“
#运行一个容器
[root@localhost ~]# podman run -d --rm nginx
cfbfa482d627e4355b5dba7db1e9f7e872c5964501f872595ef44edd0f10be7a
#查看正在运行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cfbfa482d627 docker.io/library/nginx:latest nginx -g daemon o... 4 seconds ago Up 4 seconds ago cranky_buck
#打开一个新终端进入容器
[root@localhost ~]# podman attach cfbfa482d627
10.88.0.1 - - [10/Mar/2021:16:18:02 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.61.1" "-"
#在之前的终端上访问容器的IP
[root@localhost ~]# curl 10.88.0.6
<!DOCTYPE html>
<html>
<title>Welcome to nginx!</title>
</html>
#发现在新终端中的容器里面显示了访问的记录
- podman exec -it 进入容器后面加上指令例如:/bin/bash,exit退出时不会删除容器
[root@localhost ~]# podman run -d --rm --name web nginx
0df13a8ec23469f0579aa0ab8bac8d420f54ea9837c8bdd26e23e79715c324bf
[root@localhost ~]# podman exec -it web /bin/bash
root@0df13a8ec234:/# exit
exit
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0df13a8ec234 docker.io/library/nginx:latest nginx -g daemon o... 24 seconds ago Up 23 seconds ago web
- podman top 查看容器进程情况
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0df13a8ec234 docker.io/library/nginx:latest nginx -g daemon o... 8 minutes ago Up 8 minutes ago web
#有两个进程
[root@localhost ~]# podman top 0df13a8ec234
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 8m36.093744355s ? 0s nginx: master process nginx -g daemon off;
nginx 27 1 0.000 8m36.093945649s ? 0s nginx: worker process
普通用户使用的配置
在允许没有root权限的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置。
具体步骤: Podman官方文档
创建一个普通账户
[root@localhost ~]# useradd ldaz
[root@localhost ~]# ll /home/
total 0
drwx------. 2 ldaz ldaz 62 Mar 11 00:45 ldaz
#使用ldaz用户登录
[root@localhost ~]# su - ldaz
Last login: Thu Mar 11 00:48:26 CST 2021 on pts/0
普通用户和root用户差异
- 镜像放的位置不同
#ldaz用户
[ldaz@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
#root用户
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest b97242f89c8a 8 weeks ago 1.45 MB
docker.io/library/nginx latest f6d0b4767a6c 8 weeks ago 137 MB
- 启动容器的是互不相关的,运行同名的服务,也是互不影响的
#在ldaz用户机上创建一个容器
[ldaz@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest b97242f89c8a 8 weeks ago 1.45 MB
[ldaz@localhost ~]$ podman run -it busybox
/ # ls
bin dev etc home proc root run sys tmp usr var
/ #
#在root用户上是看不到ldaz用户机上运行的容器的
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cgroup V2支持
cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,必须切换到备用OCI运行时crun。
用于通过在系统级或在任一改变用于在containers.conf文件“默认OCI运行时”的值的所有命令用户级别从runtime = "runc"到runtime = "crun"。
//在root用户机中完成下列操作
##安装crun
[root@localhost ~]# yum -y install crun
Installed:
crun-0.16-2.module_el8.3.0+699+d61d9c41.x86_64 yajl-2.1.0-10.el8.x86_64
Complete!
#取消注释,修改成crun
[root@localhost ~]# vim /usr/share/containers/containers.conf
# Default OCI runtime
#
runtime = "crun"
#启动一个容器查看一下
[root@localhost ~]# podman run -d --rm nginx
300a7a6bff3ad3bc9c460536bc482ca673d986a6fc48f008fa67086a3106eeb0
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
300a7a6bff3a docker.io/library/nginx:latest nginx -g daemon o... 8 seconds ago Up 8 seconds ago vibrant_einstein
#过滤crun查看一下
[root@localhost ~]# podman inspect 300a7a6bff3a|grep crun
"OCIRuntime": "crun",
"crun",
安装slirp4netns
提供用户模式网络,并且必须安装上才能使Podman在普通用户环境中运行
[root@localhost ~]# yum -y install slirp4netns
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository AppStream is listed more than once in the configuration
Last metadata expiration check: 0:56:18 ago on Thu 11 Mar 2021 12:23:46 AM CST.
Package slirp4netns-1.1.8-1.module_el8.3.0+699+d61d9c41.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@localhost ~]# c
slirp4netns-1.1.8-1.module_el8.3.0+699+d61d9c41.x86_64
安装fuse-overlayfs
在普通用户环境中使用Podman时,建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6
[root@localhost ~]# yum -y install fuse-overlayfs
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository AppStream is listed more than once in the configuration
Last metadata expiration check: 0:58:28 ago on Thu 11 Mar 2021 12:23:46 AM CST.
Package fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@localhost ~]# rpm -qa|grep fuse-overlayfs
fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41.x86_64
配置storage.conf文件
[root@localhost ~]# vim /etc/containers/storage.conf
# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
#取消下面这行的注释
mount_program = "/usr/bin/fuse-overlayfs"
配置/etc/subuid和/etc/subgid
Podman要求运行它的用户在/ etc / subuid和/ etc / subgid文件中列出一系列UID,shadow-utils或newuid包提供这些文件
[root@localhost ~]# yum -y install shadow
使用允许每个用户创建类似于以下内容的容器的字段来更新/etc/subuid和/etc /subgid的字段。请注意,每个用户的值必须唯一且没有任何重叠。如果存在重叠,则用户有可能使用其他人的命名空间,并且他们可能破坏该命名空间
[root@localhost ~]# cat /etc/subuid
ldaz:100000:65536
[root@localhost ~]# useradd ldz
[root@localhost ~]# cat /etc/subuid
ldaz:100000:65536
ldz:165536:65536
该文件的格式为 USERNAME:UID:RANGE
- 在/etc/passwd或getpwent中列出的用户名。
- 为用户分配的初始uid。
- 为用户分配的UID范围的大小。
用户配置文件
根目录的Podman配置文件位于中,/usr/share/containers并带有覆盖/etc/containers。在无根环境中,它们${XDG_CONFIG_HOME}/containers通常位于,~/.config/containers并由每个用户拥有。
三个主要的配置文件是container.conf,storage.conf和registries.conf。用户可以根据需要修改这些文件。
container.conf
/usr/share/containers/containers.conf/etc/containers/containers.conf$HOME/.config/containers/containers.conf
如果它们以该顺序存在。每个文件都可以覆盖特定字段的先前文件。
storage.conf
/etc/containers/storage.conf$HOME/.config/containers/storage.conf
在普通用户机中,/etc/containers/storage.conf中某些字段将被忽略。这些字段是:
graphroot=""
container storage graph dir (default: "/var/lib/containers/storage")
Default directory to store all writable content created by container storage programs.
runroot=""
container storage run dir (default: "/run/containers/storage")
Default directory to store all temporary writable content created by container storage programs.
在普通用户中,这些字段默认为
graphroot="$HOME/.local/share/containers/storage"
runroot="$XDG_RUNTIME_DIR/containers"
registries.conf
配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改。
/etc/containers/registries.conf/etc/containers/registries.d/*HOME/.config/containers/registries.conf
使用卷
无根的Podman不是现在,也永远不会是根。它不是setuid二进制文件,并且在运行时不会获得任何特权。取而代之的是,Podman利用用户名称空间来转移其所在主机的用户块(通过newuidmap和newgidmap可执行文件)以及您自己的用户(在Podman创建的容器内)的用户块的UID和GID。
如果您的容器与root用户一起运行,则root容器中的用户实际上就是主机上的用户。UID / GID 1是在/etc/subuid和/etc/subgid等中用户映射中指定的第一个UID / GID 。如果您以无根用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则您会看到它实际上是您的用户在主机上拥有的。
演示如下:
##在普通用户机上完成操作
[ldaz@localhost ~]$ whoami
ldaz
[ldaz@localhost ~]$ ls
[ldaz@localhost ~]$ mkdir leidazhuang
[ldaz@localhost ~]$ ls
leidazhuang
[ldaz@localhost ~]$ ll
total 0
drwxrwxr-x. 2 ldaz ldaz 6 Mar 11 01:46 leidazhuang
[ldaz@localhost ~]$ podman run -it --rm -v /home/ldaz/leidazhuang:/data:Z busybox /bin/sh
/ # ls
bin data dev etc home proc root run sys tmp usr var
/ # cd data/
/data # touch abc
/data # ls
abc