天天看點
傳回

podman應用

文章目錄

      • podman基本操作
        • 普通使用者使用的配置
        • 安裝slirp4netns和fuse-overlayfs
        • / etc / subuid和/ etc / subgid配置
        • 普通使用者是無法看見root使用者的鏡像的
        • 不同使用者可以建立相同名字的容器,互不相幹
        • 使用卷

podman基本操作

  • 拉取鏡像 
[[email protected] ~]# podman pull nginx
Copying blob b10cf527a02d done  
Copying blob c90b090c213b done  
Copying blob 33847f680f63 done  
Copying blob dbb907d5159d done  
Copying blob 1f41b2f2bf94 done  
Copying blob 8a268f30c42a done  
Copying config 08b152afcf done  
Writing manifest to image destination
Storing signatures
08b152afcfae220e9709f00767054b824361c742ea03a9fe936271ba520a0a4b
  • 運作容器并檢視 
[[email protected] ~]# podman images
REPOSITORY               TAG     IMAGE ID      CREATED      SIZE
docker.io/library/nginx  latest  08b152afcfae  3 weeks ago  137 MB
[[email protected] ~]# podman run  -d  --name t1 -p 80 docker.io/library/nginx
d3d91a71faf5a9986ff2df4f71a04d8746fc421a6d8f4d25dda4720551a10fe3
[[email protected] ~]# podman ps
CONTAINER ID  IMAGE                           COMMAND               CREATED        STATUS            PORTS               NAMES
d3d91a71faf5  docker.io/library/nginx:latest  nginx -g daemon o...  7 seconds ago  Up 6 seconds ago  0.0.0.0:80->80/tcp  t1
[[email protected] ~]# podman inspect -l
[
    {
        "Id": "d3d91a71faf5a9986ff2df4f71a04d8746fc421a6d8f4d25dda4720551a10fe3",
        "Created": "2021-08-13T01:20:01.478654603-04:00",
        "Path": "/docker-entrypoint.sh",
        "Args": [
            "nginx",
            "-g",
            "daemon off;"
        ],
        "State": {
            "OciVersion": "1.0.2-dev",
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 545287,
            "ConmonPid": 545275,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2021-08-13T01:20:02.083693882-04:00",
            "FinishedAt": "0001-01-01T00:00:00Z",
            "Healthcheck": {
                "Status": "",
                "FailingStreak": 0,
                "Log": null
            }

[[email protected] ~]# curl 192.168.10.30:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/" target="_blank" rel="external nofollow" >nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/" target="_blank" rel="external nofollow" >nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
  • podman logs檢視容器日志 
[[email protected] ~]# podman logs -l
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
192.168.10.30 - - [13/Aug/2021:05:23:43 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.61.1" "-"
......
  • pod top <container_id>産看容器pid 
[[email protected] ~]# podman top t1
USER    PID   PPID   %CPU    ELAPSED           TTY   TIME   COMMAND
root    1     0      0.000   6m13.809962985s   ?     0s     nginx: master process nginx -g daemon off; 
nginx   32    1      0.000   6m13.810405688s   ?     0s     nginx: worker process 
nginx   33    1      0.000   6m13.810447288s   ?     0s     nginx: worker process 
nginx   34    1      0.000   6m13.810553274s   ?     0s     nginx: worker process 
nginx   35    1      0.000   6m13.810596036s   ?     0s     nginx: worker process
  • 上傳鏡像 
[[email protected] ~]# podman login
Username: diligence
Password: 
Login Succeeded!
[[email protected] ~]# podman tag docker.io/library/nginx:latest diligence/test:nginx
[[email protected] ~]# podman push diligence/test:nginx
Getting image source signatures
Copying blob e3135447ca3e done  
Copying blob 988d9a3509bb done  
Copying blob 59b01b87c9e7 done  
Copying blob b85734705991 done  
Copying blob 7c0b223167b9 done  
Copying blob 814bff734324 done  
Copying config 08b152afcf done  
Writing manifest to image destination
Storing signatures

普通使用者使用的配置

在允許沒有root特權的使用者運作Podman之前,管理者必須安裝或建構Podman并完成以下配置

cgroup V2Linux核心功能允許使用者限制普通使用者容器可以使用的資源,如果使用cgroupV2啟用了運作Podman的Linux發行版,則可能需要更改預設的OCI運作時。某些較舊的版本runc不适用于cgroupV2,必須切換到備用OCI運作時crun。

yum  -y install crun

可以修改containers.conf檔案runtime = "runc"到runtime = “crun”

[root@ ~]# C82vim /usr/share/containers/containers.conf
......
# volume_path = "/var/lib/containers/storage/volumes"

# Default OCI runtime
#
# runtime = "crun"
runtime = "crun"

# List of the OCI runtimes that support --format=json.  When json is supported
# engine will use it for reporting nicer errors.
......
[[email protected] ~]# podman start t1
[[email protected] ~]# podman inspect t1 | grep runc
        "OCIRuntime": "runc",
            "runc",

安裝slirp4netns和fuse-overlayfs

slirp4nets包為普通使用者提供一種網絡模式

在普通使用者環境中使用Podman時,建議使用fuse-overlayfs而不是VFS檔案系統

yum -y install slirp4netns
yum -y install fuse-overlayfs

配置storage.conf檔案

[[email protected] ~]# vim /etc/containers/storage.conf
# This file is is the configuration file for all tools
# that use the containers/storage library.
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
[storage]

# Default Storage Driver, Must be set for proper operation.
driver = "overlay"   //此處改為overlay  

# Temporary storage location
runroot = "/run/containers/storage"
......
# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
mount_program = "/usr/bin/fuse-overlayfs"   //取消注釋

/ etc / subuid和/ etc / subgid配置

Podman要求運作它的使用者在/ etc / subuid和/ etc / subgid檔案中列出一系列UID,shadow-utils或newuid包提供這些檔案

yum -y install shadow-utils

可以在/ etc / subuid和/ etc / subgid檢視,每個使用者的值必須唯一且沒有任何重疊。

[[email protected] ~]# useradd xx
[[email protected] ~]# cat /etc/subuid
xx:10000065536
[[email protected] ~]# cat /etc/subgid
xx:100000:65536

該檔案的格式為USERNAME:UID:RANGE

  • 在/ etc / passwd或getpwent中列出的使用者名。
  • 為使用者配置設定的初始uid。
  • 為使用者配置設定的UID範圍的大小

普通使用者是無法看見root使用者的鏡像的 

[[email protected] ~]# podman images
REPOSITORY               TAG         IMAGE ID      CREATED      SIZE
docker.io/library/nginx  latest      08b152afcfae  3 weeks ago  137 MB

[root@ ~]# sC82u - xx
[[email protected] ~]$ podman images
REPOSITORY  TAG         IMAGE ID    CREATED     SIZE

不同使用者可以建立相同名字的容器,互不相幹 

[[email protected] ~]# podman run -d --name web nginx
dc0d7ebeaf2ad3245ce9d3964f8afe8b075dd25e014024d02846540f47f1b578
[[email protected] ~]# podman ps -a
CONTAINER ID  IMAGE                           COMMAND               CREATED         STATUS             PORTS               NAMES
dc0d7ebeaf2a  docker.io/library/nginx:latest  nginx -g daemon o...  8 seconds ago   Up 7 seconds ago                       web
d3d91a71faf5  docker.io/library/nginx:latest  nginx -g daemon o...  20 minutes ago  Up 20 minutes ago  0.0.0.0:80->80/tcp  t1

[[email protected] ~]$ podman run -d --name web nginx
05a0373053548f83e15b1719ee535ab1d0f448b655ffb033867eeeb06c273cb6
[[email protected] ~]$ podman ps -a
CONTAINER ID  IMAGE                           COMMAND               CREATED         STATUS             PORTS       NAMES
05a037305354  docker.io/library/nginx:latest  nginx -g daemon o...  40 seconds ago  Up 39 seconds ago              web

使用卷

容器與root使用者一起運作,則root容器中的使用者實際上就是主機上的使用者。UID / GID是在/etc/subuid和/etc/subgid等中使用者映射中指定的第一個UID / GID。如果普通使用者的身份從主機目錄挂載到容器中,并在該目錄中以根使用者身份建立檔案,則會看到它實際上是你的使用者在主機上擁有的。 
[[email protected] ~]$ pwd
/home/xx
[[email protected] ~]$ podman run -it --name web1 -v /home/xx/bb:/data:Z docker.io/library/nginx /bin/sh
# ls
bin   data  docker-entrypoint.d   etc   lib    media  opt   root  sbin  sys  usr
boot  dev   docker-entrypoint.sh  home  lib64  mnt    proc  run   srv   tmp  var
# cd data 
# ls
# touch 789
# ls
789
# pwd
/data
# exit
[[email protected] ~]$ ls
bb
[[email protected] ~]$ ls bb
789

–userns=keep-id标志,以確定使用者被映射到容器内自己的UID和GID。

[[email protected] ~]$ podman run -it --name t10086 -v "$(pwd)"/dd:/aa --userns=keep-id busybox /bin/sh
~ $ touch aa/abc
~ $ ls -l aa/
total 0
-rw-r--r--    1 xx       xx               0 Aug 13 06:22 123
-rw-r--r--    1 xx       xx               0 Aug 13 06:24 abc
~ $ exit
[[email protected] ~]$ ll dd/
總用量 0
-rw-r--r--. 1 xx xx 0 8月  13 06:22 123
-rw-r--r--. 1 xx xx 0 8月  13 06:24 abc

配置echo ‘net.ipv4.ip_unprivileged_port_start=80’ >> /etc/sysctl.conf

[[email protected] ~]# echo  'net.ipv4.ip_unprivileged_port_start=80'  >> /etc/sysctl.conf
[[email protected] ~]# sysctl -p
net.ipv4.ip_unprivileged_port_start = 80

[[email protected] ~]$ podman  run  --name nginx  -d  -p 80:80 nginx
380630dccb56825c8d56ad19ddf22cbebb535ae5fcc40a4232270673da050bd0
[[email protected] ~]$ podman ps
CONTAINER ID  IMAGE                           COMMAND               CREATED             STATUS                 PORTS                 NAMES
380630dccb56  docker.io/library/nginx:latest  nginx -g daemon o...  5 seconds ago       Up 5 seconds ago       0.0.0.0:80->80/tcp    nginx
podman
上一篇: 計一次podman無法啟動問題排查錯誤資訊觸發原因podman詳情問題排查最終操作治本
下一篇: alpine鏡像容器使用方法一.最小的鏡像alpine(用于替代Ubuntu的伺服器版本)二.建構&amp;運作&amp;使用鏡像三.alpine内的基礎指令四.apk指令詳解

繼續閱讀