Podman簡介
Podman是一個開源項目,可在大多數Linux平台上使用並開源在GitHub上。Podman是一個無守護進程的容器引擎,用於在Linux系統上開發,管理和運行Open Container Initiative(OCI)容器和容器鏡像。Podman提供了一個與Docker兼容的命令行前端,它可以簡單地作為Docker cli,簡單地說你可以直接添加別名:alias docker = podman來使用podman。
Podman控制下的容器可以由root用戶運行,也可以由非特權用戶運行。Podman管理整個容器的生態系統,其包括pod,容器,容器鏡像,和使用libpod library的容器卷。Podman專注於幫助您維護和修改OCI容器鏡像的所有命令和功能,例如拉取和標記。它允許您在生產環境中創建,運行和維護從這些映像創建的容器。
Podman安裝
這里使用阿里雲yum源進行安裝
[root@test ~]# yum -y install podman
配置阿里雲鏡像加速器
[root@test ~]# cd /etc/containers/
[root@test containers]# cp registries.conf{,.ori}
[root@test containers]# grep -v "^#" registries.conf.ori > registries.conf
[root@test containers]# vim registries.conf
unqualified-search-registries = ['docker.io']
[[registry]]
prefix= 'docker.io'
location= 'xxxxxxxx.mirror.aliyuncs.com'
拉取鏡像
[root@centos ~]# podman pull nginx Completed short name "nginx" with unqualified-search registries (origin: /etc/containers/registries.conf) Trying to pull docker.io/library/nginx:latest... Getting image source signatures Copying blob 7125e4df9063 done Copying blob a076a628af6f done Copying blob f72584a26f32 done Copying blob 0732ab25fa22 done Copying blob d7f36f6fe38f done Copying config f6d0b4767a done Writing manifest to image destination Storing signatures f6d0b4767a6c466c178bf718f99bea0d3742b26679081e52dbf8e0c7c4c42d74
運行容器
[root@centos ~]# podman run -d --name t1 -p 80 docker.io/library/nginx
a4034b8e031fca278f953b6bc173b9f2734f9740a65ec2cc3b371695d962415e
[root@centos ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a4034b8e031f docker.io/library/nginx nginx -g daemon o... 6 seconds ago Up 6 seconds ago 0.0.0.0:42447->80/tcp t1
#-l 查看最新的容器信息
[root@centos ~]# podman inspect -l
......................
"NetworkSettings": {
"EndpointID": "",
"Gateway": "10.88.0.1",
"IPAddress": "10.88.0.3",
"IPPrefixLen": 16,
......................
[root@centos ~]# curl 192.168.248.133:42447
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
............................................................
podman logs查看容器日志
[root@centos ~]# podman logs -l /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf 10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh /docker-entrypoint.sh: Configuration complete; ready for start up
pod top <container_id>產看容器pid
[root@centos ~]# podman top t1 USER PID PPID %CPU ELAPSED TTY TIME COMMAND root 1 0 0.000 11m48.116689309s ? 0s nginx: master process nginx -g daemon off; nginx 28 1 0.000 11m47.116736194s ? 0s nginx: worker process
鏡像的上傳
[root@centos ~]# podman login root@centos ~]# podman tag docker.io/library/nginx:latest diqiyao/test:nginx [root@centos ~]# podman push diqiyao/test:nginx
普通用戶使用的配置
在允許沒有root特權的用戶運行Podman之前,管理員必須安裝或構建Podman並完成以下配置
cgroup V2Linux內核功能允許用戶限制普通用戶容器可以使用的資源,如果使用cgroup V2啟用了運行Podman的Linux發行版,則可能需要更改默認的OCI運行時。某些較舊的版本runc不適用於cgroup V2,必須切換到備用OCI運行時crun。
[root@centos ~]# yum -y install crun
可以使用--runtime選項在命令行中打開對cgroup V2的替代OCI運行時支持
podman --runtime crun
也可以修改containers.conf文件runtime = "runc"到runtime = "crun"
[root@centos ~]# vim /usr/share/containers/containers.conf
......................
# volume_path = "/var/lib/containers/storage/volumes"
# Default OCI runtime
#
runtime = "crun"
# List of the OCI runtimes that support --format=json. When json is supported
# engine will use it for reporting nicer errors.
#
# runtime_supports_json = ["crun", "runc", "kata"]
...................................
[root@centos ~]# podman start t1
[root@centos ~]# podman inspect t1 | grep runc
"OCIRuntime": "runc",
"runc",
安裝slirp4netns
slirp4nets包為普通用戶提供一種網絡模式
[root@centos ~]# yum -y install slirp4netns
安裝fuse-overlayfs
在普通用戶環境中使用Podman時,建議使用fuse-overlayfs而不是VFS文件系統,至少需要版本0.7.6。
[root@centos ~]# yum -y install fuse-overlayfs
配置storage.conf文件
[root@centos ~]# vim /etc/containers/storage.conf ................... # Default Storage Driver driver = "overlay" ................ ................. mount_program = "/usr/bin/fuse-overlayfs" .........................
/ etc / subuid和/ etc / subgid配置
Podman要求運行它的用戶在/ etc / subuid和/ etc / subgid文件中列出一系列UID,shadow-utils或newuid包提供這些文件
[root@centos ~]# yum -y install shadow-utils
可以在/ etc / subuid和/ etc / subgid查看,每個用戶的值必須唯一且沒有任何重疊。
[root@centos ~]# cat /etc/subuid txx:100000:65536 [root@centos ~]# useradd test [root@centos ~]# cat /etc/subuid txx:100000:65536 test:165536:65536
該文件的格式為USERNAME:UID:RANGE
- 在/ etc / passwd或getpwent中列出的用戶名。
- 為用戶分配的初始uid。
- 為用戶分配的UID范圍的大小
用戶的配置文件
三個主要的配置文件是container.conf,storage.conf和registries.conf。用戶可以根據需要修改這些文件。
container.conf
Podman讀取時
1. /usr/share/containers/containers.conf 2. /etc/containers/containers.conf 3.$HOME/.config/containers/containers.conf
如果它們以該順序存在。每個文件都可以覆蓋特定字段的先前文件。
storage.conf
對於storge.conf則是
1./etc/containers/storage.conf 2.$HOME/.config/containers/storage.conf
在普通用戶中/etc/containers/storage.conf的一些字段將被忽略
graphroot="" container storage graph dir (default: "/var/lib/containers/storage") Default directory to store all writable content created by container storage programs. runroot="" container storage run dir (default: "/run/containers/storage") Default directory to store all temporary writable content created by container storage programs.
在普通用戶中這些字段默認
graphroot="$HOME/.local/share/containers/storage" runroot="$XDG_RUNTIME_DIR/containers"
registries.conf
配置按此順序讀入,這些文件不是默認創建的,可以從/usr/share/containers或復制文件/etc/containers並進行修改。
1./etc/containers/registries.conf 2./etc/containers/registries.d/* 3.HOME/.config/containers/registries.conf
授權文件
podman login 登錄,默認授權文件位於中${XDG_RUNTIME_DIR}/containers/auth.json
[root@centos ~]# podman login
Username: diqiyao
Password:
Login Succeeded!
[root@centos ~]# cat /run/user/0/containers/auth.json
{
"auths": {
"docker.io": {
..................................
...............................
使用卷
容器與root用戶一起運行,則root容器中的用戶實際上就是主機上的用戶。UID / GID 1是在/etc/subuid和/etc/subgid等中用戶映射中指定的第一個UID / GID 。如果普通用戶的身份從主機目錄掛載到容器中,並在該目錄中以根用戶身份創建文件,則會看到它實際上是你的用戶在主機上擁有的。
[root@centos ~]# su - test [test@centos ~]$ whoami test [test@centos ~]$ pwd /home/test [test@centos ~]$ mkdir test [test@centos ~]$ podman run -it --name t0 -v "$(pwd)"/test:/xxxxx busybox /bin/sh / # ls bin dev etc home proc root run sys tmp usr var xxxxx / # touch xxxxx/abc / # ll xxxxx/abc / # ls -l xxxxx/abc -rw-r--r-- 1 root root 0 Mar 10 23:05 xxxxx/abc / # exit [test@centos ~]$ ls -l total 0 drwxrwxr-x 2 test test 17 Mar 11 07:05 test
--userns=keep-id標志,以確保用戶被映射到容器內自己的UID和GID。
[test@centos ~]$ podman run -it --name t1 -v "$(pwd)"/test:/xxxxx --userns=keep-id busybox /bin/sh ~ $ touch xxxxx/bcd ~ $ ls -l xxxxx/ total 0 -rw-r--r-- 1 test test 0 Mar 10 23:05 abc -rw-r--r-- 1 test test 0 Mar 10 23:10 bcd ~ $ exit [test@centos ~]$ ll test/ total 0 -rw-r--r-- 1 test test 0 Mar 11 07:05 abc -rw-r--r-- 1 test test 0 Mar 11 07:10 bcd
使用普通用戶映射容器端口時會報“ permission denied”的錯誤
[test@centos ~]$ podman run --name nginx -d -p 80:80 nginx Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied
可以映射>= 1024的端口
[test@centos ~]$ podman run --name nginx -d -p 1024:80 nginx 694258f5d83268e78015eb5d39c86913fb2ed2550a3edfe30613ee02cd11a804 [test@centos ~]$ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 694258f5d832 docker.io/library/nginx:latest nginx -g daemon o... 9 seconds ago Up 8 seconds ago 0.0.0.0:1024->80/tcpnginx
配置echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf
[root@centos ~]# echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf [root@centos ~]# sysctl -p test@centos ~]$ podman run --name nginx1 -d -p 80:80 nginx c99e240ccd6a7e3c089a6e0d4d74149195cd6b28e1b170ae0e59fda3a4f4120d [test@centos ~]$ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c99e240ccd6a docker.io/library/nginx:latest nginx -g daemon o... 9 seconds ago Up 9 seconds ago 0.0.0.0:80->80/tcp nginx1