podman配置
podman安装
yum -y install podman
podman加速
[root@localhost containers]# pwd /etc/containers [root@localhost containers]# cp registries.conf registries.conf-origin [root@localhost containers]# ls certs.d oci policy.json registries.conf registries.conf-origin registries.d storage.conf
[root@localhost containers]# vim registries.conf unqualified-search-registries = [ "docker.io"] [[registry]] prefix = "" location = https://7kwy92qc.mirror.aliyuncs.com
podman常用操作
使用podman拉取一个nginx镜像
[root@localhost containers]# podman pull nginx Completed short name "nginx" with unqualified-search registries (origin: /etc/containers/registries.conf) Trying to pull docker.io/library/nginx:latest... Getting image source signatures Copying blob f5a38c5f8d4e done Copying blob ec3bd7de90d7 done Copying blob 83500d851118 done Copying blob 19e2441aeeab done Copying blob 8acc495f1d91 done Copying blob 45b42c59be33 [======================================] 25.8MiB / 25.8MiB Copying config 35c43ace92 done Writing manifest to image destination Storing signatures
35c43ace9216212c0f0e546a65eec93fa9fc8e96b25880ee222b7ed2ca1d2151
使用images,查看本地镜像 [root@localhost containers]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/nginx latest 35c43ace9216 2 weeks ago 137 MB
查看所有容器
[root@localhost containers]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
使用create创建一个容器
[root@localhost containers]# podman create nginx
9e3d94931e2dac3885a4fb9bfa822ff1b36ce5d2c5de7699ad72c11c0ed6deec
[root@localhost containers]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9e3d94931e2d docker.io/library/nginx:latest nginx -g daemon o... 9 seconds ago Created eloquent_villani
使用start启动容器
[root@localhost containers]# podman start 9e3d94931e2d
9e3d94931e2d
[root@localhost containers]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9e3d94931e2d docker.io/library/nginx:latest nginx -g daemon o... 2 minutes ago Up 15 seconds ago eloquent_villani
使用stop停止容器
[root@localhost containers]# podman stop 9e3d94931e2d
9e3d94931e2dac3885a4fb9bfa822ff1b36ce5d2c5de7699ad72c11c0ed6deec
[root@localhost containers]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9e3d94931e2d docker.io/library/nginx:latest nginx -g daemon o... 3 minutes ago Exited (0) 3 seconds ago eloquent_villani
使用inspect来查看容器的详细信息
[root@localhost containers]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9e3d94931e2d docker.io/library/nginx:latest nginx -g daemon o... 5 minutes ago Exited (0) About a minute ago eloquent_villani
[root@localhost containers]# podman inspect 9e3d94931e2d
[
{
"Id": "9e3d94931e2dac3885a4fb9bfa822ff1b36ce5d2c5de7699ad72c11c0ed6deec",
"Created": "2021-03-10T20:52:44.989833676+08:00",
"Path": "/docker-entrypoint.sh",
"Args": [
"nginx",
"-g",
"daemon off;"
],
"State": {
"OciVersion": "1.0.2-dev",
"Status": "exited",
"Running": false,
...
...
...
使用别名
[root@localhost containers]# cd
[root@localhost ~]# alias docker=podman
[root@localhost ~]# rpm -qa|grep docker
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 35c43ace9216 2 weeks ago 137 MB
使用exec进入容器
[root@localhost ~]# podman start 9e3d94931e2d
9e3d94931e2d
[root@localhost ~]# podman exec -it 9e3d94931e2d /bin/bash
root@9e3d94931e2d:/#
podman删除容器
[root@localhost ~]# podman rm -f 9e3d94931e2d
9e3d94931e2dac3885a4fb9bfa822ff1b36ce5d2c5de7699ad72c11c0ed6deec
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
podman删除镜像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 35c43ace9216 2 weeks ago 137 MB
[root@localhost ~]# podman rmi docker.io/library/nginx:latest
Untagged: docker.io/library/nginx:latest
Deleted: 35c43ace9216212c0f0e546a65eec93fa9fc8e96b25880ee222b7ed2ca1d2151
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
更多命令点击转到
普通用户使用的配置
创建一个普通用户
[root@localhost ~]# useradd mei
普通用户无法查看到root上的镜像
[root@localhost ~]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/busybox latest a9d583973f65 16 hours ago 1.45 MB docker.io/library/centos latest 300e315adb2f 3 months ago 217 MB
[root@localhost ~]# su - mei
Last login: Wed Mar 10 21:21:59 CST 2021 on pts/2
[mei@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
不同用户可以创建相同名字的容器,互不相干
[root@localhost ~]# podman run -d --name web busybox
cecd961e949e722d5f9c90131cae4dbde0556e763e3b0903edb6c45a0c4558f3
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cecd961e949e docker.io/library/busybox:latest sh 16 seconds ago Exited (0) 15 seconds ago web
[mei@localhost ~]$ podman run -d --name web busybox
98118c7f7696d56dd94fbcaa466cbf310eec46e01b554d5068716a137beb9e65
[mei@localhost ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
98118c7f7696 docker.io/library/busybox:latest sh 31 seconds ago Exited (0) 31 seconds ago web
cda68e999612 docker.io/library/busybox:latest /bin/sh 2 minutes ago Exited (0) About a minute ago jolly_moore
使用卷
容器与root用户一起运行,则root容器中的用户实际上就是主机上的用户。UID / GID 1是在/etc/subuid和/etc/subgid等中用户映射中指定的第一个UID / GID 。如果普通用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则会看到它实际上是你的用户在主机上拥有的。
[root@localhost ~]# su - mei Last login: Fri Mar 12 05:05:27 CST 2021 on pts/1 [mei@localhost ~]$ cd jian/ [mei@localhost jian]$ pwd /home/mei/jian [mei@localhost jian]$ [mei@localhost ~]$ podman run -it --name web1 -v /home/mei/jian:/data:Z docker.io/library/nginx /bin/sh # ls bin data docker-entrypoint.d etc lib media opt root sbin sys usr boot dev docker-entrypoint.sh home lib64 mnt proc run srv tmp var # cd data # ls # touch 123 # ls 123 # pwd /data # cd # exit [mei@localhost ~]$ ls jian [mei@localhost ~]$ ls jian/ 123
[root@localhost ~]# ls /home/mei/jian/123
/home/mei/jian/123
[root@localhost ~]# ls -l /home/mei/jian/123
-rw-r--r--. 1 mei mei 0 Mar 12 05:21 /home/mei/jian/123
普通账户无法暴露80端口,有两种解决方案
[mei@localhost ~]$ podman run -d --name web1 -p 80:80 busybox Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024),
or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied [mei@localhost ~]$ podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a69292311bed docker.io/library/busybox:latest sh About a minute ago Created 0.0.0.0:80->80/tcp web1 98118c7f7696 docker.io/library/busybox:latest sh 4 minutes ago Exited (0) 4 minutes ago web cda68e999612 docker.io/library/busybox:latest /bin/sh 7 minutes ago Exited (0) 5 minutes ago jolly_moore
[mei@localhost ~]$ podman run -d --name web2 -p 2000:80 busybox 7995dfae49c15a88f3ae1baa8b2eda89800c430a456c63a5a79a8b17c7596376
安装crun
[root@localhost ~]# yum install -y crun
[root@localhost ~]# vim /usr/share/containers/containers.conf
# Default OCI runtime
#
runtime = "crun" //此处修改为crun,取消注释
# List of the OCI runtimes that support --format=json. When json is supported
...
...
...
新创建一个容器,查看。
[root@localhost ~]# podman run -d --rm --name web1 nginx
12861ab3fe35e9a549437c0e359e5368e347b459f7a078ff3c592c33ae2ee119
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
12861ab3fe35 docker.io/library/nginx:latest nginx -g daemon o... 8 seconds ago Up 8 seconds ago web1
cecd961e949e docker.io/library/busybox:latest sh 24 minutes ago Exited (0) 24 minutes ago web
[root@localhost ~]# podman inspect web|grep runc
"OCIRuntime": "runc",
"runc",
安装slirp4netns
[root@localhost ~]# yum -y install slirp4netns [root@localhost ~]# rpm -qa|grep slirp4netns slirp4netns-1.1.8-1.module_el8.3.0+699+d61d9c41.x86_64
安装 fuse-overlayfs
[root@localhost ~]# rpm -qa fuse-overlayfs fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41.x86_64
[root@localhost ~]# cd /etc/containers/
[root@localhost containers]# ls
certs.d oci policy.json registries.conf registries.conf.origin registries.d storage.conf
[root@localhost containers]# vim storage.conf
# This file is is the configuration file for all tools
# that use the containers/storage library.
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
[storage]
# Default Storage Driver
driver = "overlay" 此处修改成overlay
# Temporary storage location
......
# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
mount_program = "/usr/bin/fuse-overlayfs" 此处取消注释
# mountopt specifies comma separated list of extra mount options
mountopt = "nodev,metacopy=on"
# Set to skip a PRIVATE bind mount on the storage home directory.
使用允许每个用户创建类似于以下内容的容器的字段来更新/etc/subuid和/etc /subgid的字段。请注意,每个用户的值必须唯一且没有任何重叠。如果存在重叠,则用户有可能使用其他人的命名空间,并且他们可能破坏该命名空间。
[root@localhost ~]# cat /etc/subuid mei:100000:65536
该文件的格式为 USERNAME:UID:RANGE
- 在/etc/passwd或getpwent中列出的用户名。
- 为用户分配的初始uid。
- 为用户分配的UID范围的大小。
这意味着在/etc/passwd文件中为用户mei分配了UIDS 100000-165535及其标准UID。注意:网络安装当前不支持此功能。这些文件必须在本地可用于主机。无法使用LDAP或Active Directory进行配置。
如果更新/etc/subuid或/etc/subgid文件,则需要停止该用户拥有的所有正在运行的容器,并终止该用户在系统上运行的暂停过程。这可以通过使用podman system migrate命令自动完成,该命令将为用户停止所有容器并终止暂停过程。
[root@localhost ~]# cat /etc/subuid mei:100000:65536 [root@localhost ~]# cat /etc/subgid mei:100000:65536 [root@localhost ~]# useradd tom [root@localhost ~]# cat /etc/subuid mei:100000:65536 tom:165536:65536 [root@localhost ~]# useradd jerry [root@localhost ~]# cat /etc/subuid mei:100000:65536 tom:165536:65536 jerry:231072:65536
启用非特权 ping
在非特权容器中运行的用户可能无法使用该ping容器中的实用程序。
如果需要这样做,管理员必须验证用户的UID是否在/proc/sys/net/ipv4/ping_group_range文件范围内。
要更改其值,管理员可以使用类似于的呼叫sysctl -w "net.ipv4.ping_group_range=0 2000000"。
为了使更改持久存在,管理员将需要添加一个文件.conf扩展名,/etc/sysctl.d其中包含net.ipv4.ping_group_range=0 $MAX_GID,该文件$MAX_GID是运行容器的用户的最高可分配GID。
[mei@localhost ~]$ podman run -d --name web4 -p 80:80 nginx Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied [root@localhost ~]# vim /etc/sysctl.conf # sysctl settings are defined through files in # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. # # Vendors settings live in /usr/lib/sysctl.d/. # To override a whole file, create a new file with the same in # /etc/sysctl.d/ and put new settings there. To override # only specific settings, add a file with a lexically later # name in /etc/sysctl.d/ and put new settings there. # # For more information, see sysctl.conf(5) and sysctl.d(5). net.ipv4.ip_unprivileged_port_start=80 ~ ~ [root@localhost ~]# sysctl -p 重新加载一下 net.ipv4.ip_unprivileged_port_start = 80 [mei@localhost ~]$ podman start web4 web4 [mei@localhost ~]$ podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a482e75c2a5b docker.io/library/nginx:latest nginx -g daemon o... 7 minutes ago Up 21 seconds ago 0.0.0.0:80->80/tcp web4 cda68e999612 docker.io/library/busybox:latest /bin/sh 2 hours ago Exited (0) 2 hours ago jolly_moore [mei@localhost ~]$ ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 *:80 *:* LISTEN 0 128 [::]:22 [::]:* [mei@localhost ~]$ curl 192.168.170.155 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>
