文章目錄
-
-
- podman基本操作
-
- 普通使用者使用的配置
- 安裝slirp4netns和fuse-overlayfs
- / etc / subuid和/ etc / subgid配置
- 普通使用者是無法看見root使用者的鏡像的
- 不同使用者可以建立相同名字的容器,互不相幹
- 使用卷
-
podman基本操作
- 拉取鏡像
[[email protected] ~]# podman pull nginx
Copying blob b10cf527a02d done
Copying blob c90b090c213b done
Copying blob 33847f680f63 done
Copying blob dbb907d5159d done
Copying blob 1f41b2f2bf94 done
Copying blob 8a268f30c42a done
Copying config 08b152afcf done
Writing manifest to image destination
Storing signatures
08b152afcfae220e9709f00767054b824361c742ea03a9fe936271ba520a0a4b
- 運作容器并檢視
[[email protected] ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 08b152afcfae 3 weeks ago 137 MB
[[email protected] ~]# podman run -d --name t1 -p 80 docker.io/library/nginx
d3d91a71faf5a9986ff2df4f71a04d8746fc421a6d8f4d25dda4720551a10fe3
[[email protected] ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d3d91a71faf5 docker.io/library/nginx:latest nginx -g daemon o... 7 seconds ago Up 6 seconds ago 0.0.0.0:80->80/tcp t1
[[email protected] ~]# podman inspect -l
[
{
"Id": "d3d91a71faf5a9986ff2df4f71a04d8746fc421a6d8f4d25dda4720551a10fe3",
"Created": "2021-08-13T01:20:01.478654603-04:00",
"Path": "/docker-entrypoint.sh",
"Args": [
"nginx",
"-g",
"daemon off;"
],
"State": {
"OciVersion": "1.0.2-dev",
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 545287,
"ConmonPid": 545275,
"ExitCode": 0,
"Error": "",
"StartedAt": "2021-08-13T01:20:02.083693882-04:00",
"FinishedAt": "0001-01-01T00:00:00Z",
"Healthcheck": {
"Status": "",
"FailingStreak": 0,
"Log": null
}
[[email protected] ~]# curl 192.168.10.30:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/" target="_blank" rel="external nofollow" >nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/" target="_blank" rel="external nofollow" >nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
- podman logs檢視容器日志
[[email protected] ~]# podman logs -l
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
192.168.10.30 - - [13/Aug/2021:05:23:43 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.61.1" "-"
......
- pod top <container_id>産看容器pid
[[email protected] ~]# podman top t1
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 6m13.809962985s ? 0s nginx: master process nginx -g daemon off;
nginx 32 1 0.000 6m13.810405688s ? 0s nginx: worker process
nginx 33 1 0.000 6m13.810447288s ? 0s nginx: worker process
nginx 34 1 0.000 6m13.810553274s ? 0s nginx: worker process
nginx 35 1 0.000 6m13.810596036s ? 0s nginx: worker process
- 上傳鏡像
[[email protected] ~]# podman login
Username: diligence
Password:
Login Succeeded!
[[email protected] ~]# podman tag docker.io/library/nginx:latest diligence/test:nginx
[[email protected] ~]# podman push diligence/test:nginx
Getting image source signatures
Copying blob e3135447ca3e done
Copying blob 988d9a3509bb done
Copying blob 59b01b87c9e7 done
Copying blob b85734705991 done
Copying blob 7c0b223167b9 done
Copying blob 814bff734324 done
Copying config 08b152afcf done
Writing manifest to image destination
Storing signatures
普通使用者使用的配置
在允許沒有root特權的使用者運作Podman之前,管理者必須安裝或建構Podman并完成以下配置
cgroup V2Linux核心功能允許使用者限制普通使用者容器可以使用的資源,如果使用cgroupV2啟用了運作Podman的Linux發行版,則可能需要更改預設的OCI運作時。某些較舊的版本runc不适用于cgroupV2,必須切換到備用OCI運作時crun。
yum -y install crun
可以修改containers.conf檔案runtime = "runc"到runtime = “crun”
[root@ ~]# C82vim /usr/share/containers/containers.conf
......
# volume_path = "/var/lib/containers/storage/volumes"
# Default OCI runtime
#
# runtime = "crun"
runtime = "crun"
# List of the OCI runtimes that support --format=json. When json is supported
# engine will use it for reporting nicer errors.
......
[[email protected] ~]# podman start t1
[[email protected] ~]# podman inspect t1 | grep runc
"OCIRuntime": "runc",
"runc",
安裝slirp4netns和fuse-overlayfs
slirp4nets包為普通使用者提供一種網絡模式
在普通使用者環境中使用Podman時,建議使用fuse-overlayfs而不是VFS檔案系統
yum -y install slirp4netns
yum -y install fuse-overlayfs
配置storage.conf檔案
[[email protected] ~]# vim /etc/containers/storage.conf
# This file is is the configuration file for all tools
# that use the containers/storage library.
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
[storage]
# Default Storage Driver, Must be set for proper operation.
driver = "overlay" //此處改為overlay
# Temporary storage location
runroot = "/run/containers/storage"
......
# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
mount_program = "/usr/bin/fuse-overlayfs" //取消注釋
/ etc / subuid和/ etc / subgid配置
Podman要求運作它的使用者在/ etc / subuid和/ etc / subgid檔案中列出一系列UID,shadow-utils或newuid包提供這些檔案
yum -y install shadow-utils
可以在/ etc / subuid和/ etc / subgid檢視,每個使用者的值必須唯一且沒有任何重疊。
[[email protected] ~]# useradd xx
[[email protected] ~]# cat /etc/subuid
xx:10000065536
[[email protected] ~]# cat /etc/subgid
xx:100000:65536
該檔案的格式為USERNAME:UID:RANGE
- 在/ etc / passwd或getpwent中列出的使用者名。
- 為使用者配置設定的初始uid。
- 為使用者配置設定的UID範圍的大小
普通使用者是無法看見root使用者的鏡像的
[[email protected] ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 08b152afcfae 3 weeks ago 137 MB
[root@ ~]# sC82u - xx
[[email protected] ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
不同使用者可以建立相同名字的容器,互不相幹
[[email protected] ~]# podman run -d --name web nginx
dc0d7ebeaf2ad3245ce9d3964f8afe8b075dd25e014024d02846540f47f1b578
[[email protected] ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
dc0d7ebeaf2a docker.io/library/nginx:latest nginx -g daemon o... 8 seconds ago Up 7 seconds ago web
d3d91a71faf5 docker.io/library/nginx:latest nginx -g daemon o... 20 minutes ago Up 20 minutes ago 0.0.0.0:80->80/tcp t1
[[email protected] ~]$ podman run -d --name web nginx
05a0373053548f83e15b1719ee535ab1d0f448b655ffb033867eeeb06c273cb6
[[email protected] ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
05a037305354 docker.io/library/nginx:latest nginx -g daemon o... 40 seconds ago Up 39 seconds ago web
使用卷
容器與root使用者一起運作,則root容器中的使用者實際上就是主機上的使用者。UID / GID是在/etc/subuid和/etc/subgid等中使用者映射中指定的第一個UID / GID。如果普通使用者的身份從主機目錄挂載到容器中,并在該目錄中以根使用者身份建立檔案,則會看到它實際上是你的使用者在主機上擁有的。
[[email protected] ~]$ pwd
/home/xx
[[email protected] ~]$ podman run -it --name web1 -v /home/xx/bb:/data:Z docker.io/library/nginx /bin/sh
# ls
bin data docker-entrypoint.d etc lib media opt root sbin sys usr
boot dev docker-entrypoint.sh home lib64 mnt proc run srv tmp var
# cd data
# ls
# touch 789
# ls
789
# pwd
/data
# exit
[[email protected] ~]$ ls
bb
[[email protected] ~]$ ls bb
789
–userns=keep-id标志,以確定使用者被映射到容器内自己的UID和GID。
[[email protected] ~]$ podman run -it --name t10086 -v "$(pwd)"/dd:/aa --userns=keep-id busybox /bin/sh
~ $ touch aa/abc
~ $ ls -l aa/
total 0
-rw-r--r-- 1 xx xx 0 Aug 13 06:22 123
-rw-r--r-- 1 xx xx 0 Aug 13 06:24 abc
~ $ exit
[[email protected] ~]$ ll dd/
總用量 0
-rw-r--r--. 1 xx xx 0 8月 13 06:22 123
-rw-r--r--. 1 xx xx 0 8月 13 06:24 abc
配置echo ‘net.ipv4.ip_unprivileged_port_start=80’ >> /etc/sysctl.conf
[[email protected] ~]# echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf
[[email protected] ~]# sysctl -p
net.ipv4.ip_unprivileged_port_start = 80
[[email protected] ~]$ podman run --name nginx -d -p 80:80 nginx
380630dccb56825c8d56ad19ddf22cbebb535ae5fcc40a4232270673da050bd0
[[email protected] ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
380630dccb56 docker.io/library/nginx:latest nginx -g daemon o... 5 seconds ago Up 5 seconds ago 0.0.0.0:80->80/tcp nginx