podman命令使用和用戶配置
什么是Podman?
詳情見:什么是Podman?
Podman可以替換Docker中了大多數子命令(RUN,PUSH,PULL等)。Podman不需要守護進程,而是使用用戶命名空間來模擬容器中的root,無需連接到具有root權限的套接字保證容器的體系安全。
Podman專注於維護和修改OCI鏡像的所有命令和功能,例如拉動和標記。它還允許我們創建,運行和維護從這些圖像創建的容器。
Podman 可以管理和運行任何符合 OCI(Open Container Initiative)規范的容器和容器鏡像。Podman 提供了一個與 Docker 兼容的命令行前端來管理 Docker 鏡像。
-
Podman 官網地址:https://podman.io/
-
Podman 項目地址:https://github.com/containers/libpod
PODMAN主要由紅帽發起和推動,是下一代的容器技術,包括如下三個模塊:Podman,Skopeo和Buildah
這三個工具都是符合OCI計划下的工具(github/containers)。主要是由RedHat推動的,他們配合可以完成Docker所有的功能,而且不需要守護程序或訪問有root權限的組,更加安全可靠,是下一代容器容器工具。
Podman 是一個開源的容器運行時項目,可在大多數 Linux 平台上使用。Podman 提供與 Docker 非常相似的功能。正如前面提到的那樣,它不需要在你的系統上運行任何守護進程,並且它也可以在沒有 root 權限的情況下運行。
Podman 和docker不同之處?
-
docker 需要在我們的系統上運行一個守護進程(docker daemon),而podman 不需要
-
啟動容器的方式不同:
docker cli命令通過API跟Docker Engine(引擎)交互告訴它我想創建一個container,然后docker Engine才會調用OCI container runtime(runc)來啟動一個container。這代表container的process(進程)不會是Docker CLI的child process(子進程),而是Docker Engine的child process。Podman是直接給OCI containner runtime(runc)進行交互來創建container的,所以container process直接是podman的child process。 -
因為docke有docker daemon,所以docker啟動的容器支持
--restart策略,但是podman不支持,如果在k8s中就不存在這個問題,我們可以設置pod的重啟策略,在系統中我們可以采用編寫systemd服務來完成自啟動 -
docker需要使用root用戶來創建容器,但是podman不需要
Podman安裝和配置加速器
安裝Podman
[root@localhost yum.repos.d]# yum -y install podman
Updating Subscription Management repositories.
warning: /var/cache/dnf/base-43708d1174dbbac2/packages/checkpolicy-2.9-1.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 8483c65d: NOKEY
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-libsemanage-2.9-2.el8.x86_64 1/22
Verifying : podman-2.2.1-7.module_el8.3.0+699+d61d9c41.x86_64 17/22
Verifying : podman-catatonit-2.2.1-7.module_el8.3.0+699+d61d9c41.x 18/22
Verifying : protobuf-c-1.3.0-4.el8.x86_64 19/22
Complete!
Podman別名
//別名為docker
[root@localhost ~]# alias docker=podman
//確認沒有裝docker
[root@localhost ~]# rpm -qa|grep docker
//可以使用“docker”命令
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 35c43ace9216 2 weeks ago 137 MB
配置加速器
加速器的獲取,詳情見:Docker的基本用法
//備份文件
[root@localhost ~]# cd /etc/containers/
[root@localhost containers]# ls
certs.d oci policy.json registries.conf registries.d storage.conf
[root@localhost containers]# mv registries.conf registries.conf-origin
[root@localhost containers]# ls
certs.d policy.json registries.conf-origin storage.conf
oci registries.conf registries.d
//配置文件
#prefix后面可以不跟配置,加速器使用的是自己的阿里雲加速器
[root@localhost containers]# vim registries.conf
unqualified-search-registries = ["docker.io"]
[[registry]]
prefix = "docker.io"
location = "zyva0762.mirror.aliyuncs.com"
Podman基本命令
- podman search 在官網搜索鏡像
[root@localhost ~]# podman search nginx
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/nginx Official build of Nginx. 14547 [OK]
docker.io docker.io/jwilder/nginx-proxy Automated Nginx reverse proxy for docker con... 1982 [OK]
docker.io docker.io/bitnami/nginx Bitnami nginx Docker Image 94 [OK]
- podman pull 下載官網的鏡像,不加版本號默認下載最新版本
[root@localhost ~]# podman pull nginx
Completed short name "nginx" with unqualified-search registries (origin: /etc/containers/registries.conf)
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 19e2441aeeab done
Copying blob 8acc495f1d91 done
Copying blob f5a38c5f8d4e done
Copying blob 45b42c59be33 [======================================] 25.8MiB / 25.8MiB
Copying blob ec3bd7de90d7 done
Copying blob 83500d851118 done
Copying config 35c43ace92 done
Writing manifest to image destination
Storing signatures
35c43ace9216212c0f0e546a65eec93fa9fc8e96b25880ee222b7ed2ca1d2151
- podman images 查看有哪些鏡像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 35c43ace9216 2 weeks ago 137 MB
- podman create 創建一個容器
#第一種方式
[root@localhost ~]# podman create docker.io/library/nginx
6c491585fba9de855e425571b919c3bc33bbe2bd7d43097979fc0cd63864297b
#第二種方式
[root@localhost ~]# podman create nginx
19a2b985132f269556bdfb9b0772e090e25f6fbf16948a08de4867a7b14c011c
- podman ps 查看正在運行的容器;-a 表示所有的容器
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
19a2b985132f docker.io/library/nginx:latest nginx -g daemon o... 22 seconds ago Created romantic_saha
6c491585fba9 docker.io/library/nginx nginx -g daemon o... 29 seconds ago Created elegant_elion
- podman start 啟動容器
[root@localhost ~]# podman start 79c842403792
79c842403792
#查看正在運行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
79c842403792 docker.io/library/nginx:latest nginx -g daemon o... 50 seconds ago Up 22 seconds ago vigorous_newton
- podman stop 停止容器運行
[root@localhost ~]# podman stop 79c842403792
79c8424037921370db4b12473dac4d5f5a899d5bd0deb510743d4e7fe6a07839
#查看正在運行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
- podman restart 重啟容器
[root@localhost ~]# podman restart 79c842403792
79c8424037921370db4b12473dac4d5f5a899d5bd0deb510743d4e7fe6a07839
#查看正在運行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
79c842403792 docker.io/library/nginx:latest nginx -g daemon o... 5 minutes ago Up 3 seconds ago vigorous_newton
- podman rm 刪除一個容器,不能刪除正在運行的容器;-f可以刪除正在運行的容器;rmi刪除鏡像
#查看正在運行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
79c842403792 docker.io/library/nginx:latest nginx -g daemon o... 6 minutes ago Up About a minute ago vigorous_newton
#刪除容器報錯
[root@localhost ~]# podman rm 79c842403792
Error: cannot remove container 79c8424037921370db4b12473dac4d5f5a899d5bd0deb510743d4e7fe6a07839 as it is running - running or paused containers cannot be removed without force: container state improper
#強制刪除
[root@localhost ~]# podman rm -f 79c842403792
79c8424037921370db4b12473dac4d5f5a899d5bd0deb510743d4e7fe6a07839
#停止運行
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
- podman run 直接運行一個容器;-d在后台運行
#運行一個容器
[root@localhost ~]# podman run nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
#打開新終端,查看正在運行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1a2defb333e2 docker.io/library/nginx:latest nginx -g daemon o... 23 seconds ago Up 23 seconds ago dazzling_perlman
#-d在后台運行
[root@localhost ~]# podman run -d nginx
966417eedde4e21a7216a7a5126069431fa0e5f3bd0abdea6d94a16520acd24e
- podman logs 查看容器日志
[root@localhost ~]# podman logs 966417eedde4
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
#在一台終端上訪問IP
[root@localhost ~]# curl 10.88.0.5
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
#日志已更新
[root@localhost ~]# podman logs 966417eedde4
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
10.88.0.1 - - [10/Mar/2021:11:11:01 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.61.1" "-"
- podman inspect 查看容器的各種信息
[root@localhost ~]# podman inspect 966417eedde4
#查看IP
"EndpointID": "",
"Gateway": "10.88.0.1",
"IPAddress": "10.88.0.5",
"IPPrefixLen": 16,
- podman attach 進入到容器的同一個位置,執行操作的時候,另外一邊的終端里的容器也會顯示同樣操作,類似”鏡像“
#運行一個容器
[root@localhost ~]# podman run -d --rm nginx
cfbfa482d627e4355b5dba7db1e9f7e872c5964501f872595ef44edd0f10be7a
#查看正在運行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cfbfa482d627 docker.io/library/nginx:latest nginx -g daemon o... 4 seconds ago Up 4 seconds ago cranky_buck
#打開一個新終端進入容器
[root@localhost ~]# podman attach cfbfa482d627
10.88.0.1 - - [10/Mar/2021:16:18:02 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.61.1" "-"
#在之前的終端上訪問容器的IP
[root@localhost ~]# curl 10.88.0.6
<!DOCTYPE html>
<html>
<title>Welcome to nginx!</title>
</html>
#發現在新終端中的容器里面顯示了訪問的記錄
- podman exec -it 進入容器后面加上指令例如:/bin/bash,exit退出時不會刪除容器
[root@localhost ~]# podman run -d --rm --name web nginx
0df13a8ec23469f0579aa0ab8bac8d420f54ea9837c8bdd26e23e79715c324bf
[root@localhost ~]# podman exec -it web /bin/bash
root@0df13a8ec234:/# exit
exit
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0df13a8ec234 docker.io/library/nginx:latest nginx -g daemon o... 24 seconds ago Up 23 seconds ago web
- podman top 查看容器進程情況
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0df13a8ec234 docker.io/library/nginx:latest nginx -g daemon o... 8 minutes ago Up 8 minutes ago web
#有兩個進程
[root@localhost ~]# podman top 0df13a8ec234
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 8m36.093744355s ? 0s nginx: master process nginx -g daemon off;
nginx 27 1 0.000 8m36.093945649s ? 0s nginx: worker process
普通用戶使用的配置
在允許沒有root權限的用戶運行Podman之前,管理員必須安裝或構建Podman並完成以下配置。
具體步驟: Podman官方文檔
創建一個普通賬戶
[root@localhost ~]# useradd ldaz
[root@localhost ~]# ll /home/
total 0
drwx------. 2 ldaz ldaz 62 Mar 11 00:45 ldaz
#使用ldaz用戶登錄
[root@localhost ~]# su - ldaz
Last login: Thu Mar 11 00:48:26 CST 2021 on pts/0
普通用戶和root用戶差異
- 鏡像放的位置不同
#ldaz用戶
[ldaz@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
#root用戶
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest b97242f89c8a 8 weeks ago 1.45 MB
docker.io/library/nginx latest f6d0b4767a6c 8 weeks ago 137 MB
- 啟動容器的是互不相關的,運行同名的服務,也是互不影響的
#在ldaz用戶機上創建一個容器
[ldaz@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest b97242f89c8a 8 weeks ago 1.45 MB
[ldaz@localhost ~]$ podman run -it busybox
/ # ls
bin dev etc home proc root run sys tmp usr var
/ #
#在root用戶上是看不到ldaz用戶機上運行的容器的
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cgroup V2支持
cgroup V2Linux內核功能允許用戶限制普通用戶容器可以使用的資源,如果使用cgroup V2啟用了運行Podman的Linux發行版,則可能需要更改默認的OCI運行時。某些較舊的版本runc不適用於cgroup V2,必須切換到備用OCI運行時crun。
用於通過在系統級或在任一改變用於在containers.conf文件“默認OCI運行時”的值的所有命令用戶級別從runtime = "runc"到runtime = "crun"。
//在root用戶機中完成下列操作
##安裝crun
[root@localhost ~]# yum -y install crun
Installed:
crun-0.16-2.module_el8.3.0+699+d61d9c41.x86_64 yajl-2.1.0-10.el8.x86_64
Complete!
#取消注釋,修改成crun
[root@localhost ~]# vim /usr/share/containers/containers.conf
# Default OCI runtime
#
runtime = "crun"
#啟動一個容器查看一下
[root@localhost ~]# podman run -d --rm nginx
300a7a6bff3ad3bc9c460536bc482ca673d986a6fc48f008fa67086a3106eeb0
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
300a7a6bff3a docker.io/library/nginx:latest nginx -g daemon o... 8 seconds ago Up 8 seconds ago vibrant_einstein
#過濾crun查看一下
[root@localhost ~]# podman inspect 300a7a6bff3a|grep crun
"OCIRuntime": "crun",
"crun",
安裝slirp4netns
提供用戶模式網絡,並且必須安裝上才能使Podman在普通用戶環境中運行
[root@localhost ~]# yum -y install slirp4netns
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository AppStream is listed more than once in the configuration
Last metadata expiration check: 0:56:18 ago on Thu 11 Mar 2021 12:23:46 AM CST.
Package slirp4netns-1.1.8-1.module_el8.3.0+699+d61d9c41.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@localhost ~]# c
slirp4netns-1.1.8-1.module_el8.3.0+699+d61d9c41.x86_64
安裝fuse-overlayfs
在普通用戶環境中使用Podman時,建議使用fuse-overlayfs而不是VFS文件系統,至少需要版本0.7.6
[root@localhost ~]# yum -y install fuse-overlayfs
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository AppStream is listed more than once in the configuration
Last metadata expiration check: 0:58:28 ago on Thu 11 Mar 2021 12:23:46 AM CST.
Package fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@localhost ~]# rpm -qa|grep fuse-overlayfs
fuse-overlayfs-1.3.0-2.module_el8.3.0+699+d61d9c41.x86_64
配置storage.conf文件
[root@localhost ~]# vim /etc/containers/storage.conf
# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
#取消下面這行的注釋
mount_program = "/usr/bin/fuse-overlayfs"
配置/etc/subuid和/etc/subgid
Podman要求運行它的用戶在/ etc / subuid和/ etc / subgid文件中列出一系列UID,shadow-utils或newuid包提供這些文件
[root@localhost ~]# yum -y install shadow
使用允許每個用戶創建類似於以下內容的容器的字段來更新/etc/subuid和/etc /subgid的字段。請注意,每個用戶的值必須唯一且沒有任何重疊。如果存在重疊,則用戶有可能使用其他人的命名空間,並且他們可能破壞該命名空間
[root@localhost ~]# cat /etc/subuid
ldaz:100000:65536
[root@localhost ~]# useradd ldz
[root@localhost ~]# cat /etc/subuid
ldaz:100000:65536
ldz:165536:65536
該文件的格式為 USERNAME:UID:RANGE
- 在/etc/passwd或getpwent中列出的用戶名。
- 為用戶分配的初始uid。
- 為用戶分配的UID范圍的大小。
用戶配置文件
根目錄的Podman配置文件位於中,/usr/share/containers並帶有覆蓋/etc/containers。在無根環境中,它們${XDG_CONFIG_HOME}/containers通常位於,~/.config/containers並由每個用戶擁有。
三個主要的配置文件是container.conf,storage.conf和registries.conf。用戶可以根據需要修改這些文件。
container.conf
/usr/share/containers/containers.conf/etc/containers/containers.conf$HOME/.config/containers/containers.conf
如果它們以該順序存在。每個文件都可以覆蓋特定字段的先前文件。
storage.conf
/etc/containers/storage.conf$HOME/.config/containers/storage.conf
在普通用戶機中,/etc/containers/storage.conf中某些字段將被忽略。這些字段是:
graphroot=""
container storage graph dir (default: "/var/lib/containers/storage")
Default directory to store all writable content created by container storage programs.
runroot=""
container storage run dir (default: "/run/containers/storage")
Default directory to store all temporary writable content created by container storage programs.
在普通用戶中,這些字段默認為
graphroot="$HOME/.local/share/containers/storage"
runroot="$XDG_RUNTIME_DIR/containers"
registries.conf
配置按此順序讀入,這些文件不是默認創建的,可以從/usr/share/containers或復制文件/etc/containers並進行修改。
/etc/containers/registries.conf/etc/containers/registries.d/*HOME/.config/containers/registries.conf
使用卷
無根的Podman不是現在,也永遠不會是根。它不是setuid二進制文件,並且在運行時不會獲得任何特權。取而代之的是,Podman利用用戶名稱空間來轉移其所在主機的用戶塊(通過newuidmap和newgidmap可執行文件)以及您自己的用戶(在Podman創建的容器內)的用戶塊的UID和GID。
如果您的容器與root用戶一起運行,則root容器中的用戶實際上就是主機上的用戶。UID / GID 1是在/etc/subuid和/etc/subgid等中用戶映射中指定的第一個UID / GID 。如果您以無根用戶的身份從主機目錄掛載到容器中,並在該目錄中以根用戶身份創建文件,則您會看到它實際上是您的用戶在主機上擁有的。
演示如下:
##在普通用戶機上完成操作
[ldaz@localhost ~]$ whoami
ldaz
[ldaz@localhost ~]$ ls
[ldaz@localhost ~]$ mkdir leidazhuang
[ldaz@localhost ~]$ ls
leidazhuang
[ldaz@localhost ~]$ ll
total 0
drwxrwxr-x. 2 ldaz ldaz 6 Mar 11 01:46 leidazhuang
[ldaz@localhost ~]$ podman run -it --rm -v /home/ldaz/leidazhuang:/data:Z busybox /bin/sh
/ # ls
bin data dev etc home proc root run sys tmp usr var
/ # cd data/
/data # touch abc
/data # ls
abc