podman简介
Podman是一个开源项目,可在大多数Linux平台上使用并开源在GitHub上。Podman是一个无守护进程的容器引擎,用于在Linux系统上开发,管理和运行Open Container Initiative(OCI)容器和容器镜像。Podman提供了一个与Docker兼容的命令行前端,它可以简单地作为Docker cli,简单地说你可以直接添加别名:alias docker = podman来使用podman。
Podman控制下的容器可以由root用户运行,也可以由非特权用户运行。Podman管理整个容器的生态系统,其包括pod,容器,容器镜像,和使用libpod library的容器卷。Podman专注于帮助您维护和修改OCI容器镜像的所有命令和功能,例如拉取和标记。它允许您在生产环境中创建,运行和维护从这些映像创建的容器。
- Podman 官网地址:https://podman.io/
- Podman 项目地址:https://github.com/containers/libpod
安装podman
//配置yum源 [root@ansible ~]# curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo [root@ansible ~]# sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo [root@ansible ~]# sed -i 's#$releasever#8#g' /etc/yum.repos.d/CentOS-Base.repo [root@ansible ~]# yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-8.noarch.rpm [root@ansible ~]# sed -i 's|^#baseurl=https://download.fedoraproject.org/pub|baseurl=https://mirrors.aliyun.com|' /etc/yum.repos.d/epel* [root@ansible ~]# sed -i 's|^metalink|#metalink|' /etc/yum.repos.d/epel* [root@ansible ~]# sed -i 's#$releasever#8#g' /etc/yum.repos.d/epel.repo //用yum安装podman [root@RedHat ~]# yum -y install podman
//配置加速器 [root@RedHat containers]# cp registries.conf{,.ori} [root@RedHat containers]# grep -v "^#" registries.conf.ori > registries.conf [root@RedHat containers]# vim registries.conf unqualified-search-registries = ["docker.io"] [[registry]] prefix= 'docker.io' location= 'xxxx.mirror.swr.myhuaweicloud.com'
//podman拉取镜像 [root@RedHat containers]# podman pull busybox Completed short name "busybox" with unqualified-search registries (origin: /etc/containers/registries.conf) Trying to pull docker.io/library/busybox:latest... Getting image source signatures Copying blob e5d9363303dd done Copying config b97242f89c done Writing manifest to image destination Storing signatures b97242f89c8a29d13aea12843a08441a4bbfc33528f55b60366c1d8f6923d0d4 [root@RedHat containers]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/busybox latest b97242f89c8a 8 weeks ago 1.45 MB
//podman查看镜像 [root@RedHat containers]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/busybox latest b97242f89c8a 8 weeks ago 1.45 MB
//podman删除镜像 [root@RedHat containers]# podman rmi docker.io/library/busybox:latest Untagged: docker.io/library/busybox:latest Deleted: b97242f89c8a29d13aea12843a08441a4bbfc33528f55b60366c1d8f6923d0d4
//root用户拉取的镜像在其他用户登录宿主机的时候是看不到的 [root@RedHat ~]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/busybox latest b97242f89c8a 8 weeks ago 1.45 MB [jerry@RedHat ~]$ id uid=1000(jerry) gid=1000(jerry) 组=1000(jerry) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [jerry@RedHat ~]$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE
//相反,jerry用户拉取地镜像root也没有 [jerry@RedHat ~]$ podman pull nginx Completed short name "nginx" with unqualified-search registries (origin: /etc/containers/registries.conf) Trying to pull docker.io/library/nginx:latest... Getting image source signatures Copying blob f72584a26f32 done Copying blob a076a628af6f done Copying blob 0732ab25fa22 done Copying blob 7125e4df9063 done Copying blob d7f36f6fe38f done Copying config f6d0b4767a done Writing manifest to image destination Storing signatures f6d0b4767a6c466c178bf718f99bea0d3742b26679081e52dbf8e0c7c4c42d74 [jerry@RedHat ~]$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/nginx latest f6d0b4767a6c 8 weeks ago 137 MB [root@RedHat ~]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/busybox latest b97242f89c8a 8 weeks ago 1.45 MB
//在jerry用户中创建的容器在root里看不到 [jerry@RedHat ~]$ podman run -it nginx /bin/sh # ls bin dev docker-entrypoint.sh home lib64 mnt proc run srv tmp var boot docker-entrypoint.d etc lib media opt root sbin sys usr # exit [jerry@RedHat ~]$ podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f7281ca4a884 docker.io/library/nginx:latest /bin/sh 47 seconds ago Exited (0) 5 seconds ago practical_liskov [root@RedHat ~]# podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
//当root和jerry都创建容器名为web 此时两个容器是非会冲突呢? [root@RedHat ~]# podman run -it --rm --name web busybox / # ls bin dev etc home proc root run sys tmp usr var [root@RedHat ~]# podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES fc0b452940fd docker.io/library/busybox:latest sh 16 seconds ago Up 15 seconds ago web [jerry@RedHat ~]$ podman run -it --rm --name web busybox / # ls bin dev etc home proc root run sys tmp usr var [jerry@RedHat ~]$ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 5294a0e55a83 docker.io/library/busybox:latest sh 20 seconds ago Up 19 seconds ago web //如此可见,不同用户创建的容器是互相隔离的,并不会相互影响
//如果你想用普通用户创建容器并且映射容器80到本机80端口的话 [jerry@RedHat ~]$ podman run -it --rm --name web1 -p 80:80 busybox Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied //很显然失败了,但是你可以吧端口数字调成大于等于1024,例如 [jerry@RedHat ~]$ podman run -it --rm --name web1 -p 2000:80 busybox / # ls bin dev etc home proc root run sys tmp usr var [jerry@RedHat ~]$ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f529b49fb389 docker.io/library/busybox:latest sh 7 seconds ago Up 6 seconds ago 0.0.0.0:2000->80/tcp web1
cgroup V2支持
cgroup V2 Linux内核功能允许用户限制无根容器可以使用的资源量。如果使用cgroup V2启用了运行Podman的Linux发行
版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,您可能必须切换到备用0CI运行时
crun。
也可以使用以下-- runtime选项在命令行中打开对cgroup V2的替代OCI运行时支持:
podman -- runtime C run
//我们使用yum安装crun [root@RedHat ~]# yum -y install crun
cgroup V2 Linux内核功能允许用户限制无根容器可以使用的资源量。如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc
不适用于cgroup V2,您可能必须切换到备用OCI运行时crun
。
用于通过在系统级或在任一改变用于在containers.conf文件“默认OCI运行时”的值的所有命令用户级别从runtime = "runc"
到runtime = "crun"
。
//取消注释并且修改 [root@RedHat containers]# vim /usr/share/containers/containers.conf runtime = "crun" [root@RedHat containers]# podman run -it --rm --name web1 busybox [root@RedHat ~]# podman inspect web1|grep crun "OCIRuntime": "crun", "crun",
使用普通用户创建容器会发现容器内容器外UID不一致
[jerry@RedHat ~]$ mkdir 123 [jerry@RedHat ~]$ podman run -it --rm -v /home/jerry/123:/data busybox /bin/sh / # cd data/ /data # touch abc /data # ls -l total 0 -rw-r--r-- 1 root root 0 Mar 10 22:17 abc /data # exit [jerry@RedHat ~]$ cd 123/ [jerry@RedHat 123]$ ll 总用量 0 -rw-r--r--. 1 jerry jerry 0 3月 11 06:17 abc [jerry@RedHat 123]$
为了使UID保持一致,可以使用--userns=keep-id命令
[jerry@RedHat 123]$ podman run -it --rm --userns=keep-id -v /home/jerry/123/:/data busybox ~ $ cd data/ /data $ ls -l total 0 -rw-r--r-- 1 jerry jerry 0 Mar 10 22:17 abc /data $