podman命令使⽤和⽤户配置
podman命令使⽤和⽤户配置
什么是Podman?
详情见:
Podman可以替换Docker中了⼤多数⼦命令(RUN,PUSH,PULL等)。Podman不需要守护进程,⽽是使⽤⽤户命名空间来模拟容器中的root,⽆需连接到具有root权限的套接字保证容器的体系安全。
Podman专注于维护和修改OCI镜像的所有命令和功能,例如拉动和标记。它还允许我们创建,运⾏和维护从这些图像创建的容器。
Podman 可以管理和运⾏任何符合 OCI(Open Container Initiative)规范的容器和容器镜像。Podman 提供了⼀个与 Docker 兼容的命令⾏前端来管理 Docker 镜像。
PODMAN主要由红帽发起和推动,是下⼀代的容器技术,包括如下三个模块:Podman,Skopeo和Buildah
这三个⼯具都是符合OCI计划下的⼯具(github/containers)。主要是由RedHat推动的,他们配合可以完成Docker所有的功能,⽽且不需要守护程序或访问有root权限的组,更加安全可靠,是下⼀代容器容器⼯具。
Podman 是⼀个开源的容器运⾏时项⽬,可在⼤多数 Linux 平台上使⽤。Podman 提供与 Docker ⾮常相似的功能。正如前⾯提到的那样,它不需要在你的系统上运⾏任何守护进程,并且它也可以在没有 root 权限的情况下运⾏。
Podman 和docker不同之处?
docker 需要在我们的系统上运⾏⼀个守护进程(docker daemon),⽽podman 不需要
启动容器的⽅式不同:
docker cli 命令通过API跟 Docker Engine(引擎)交互告诉它我想创建⼀个container,然后docker Engine才会调⽤OCI container runtime(runc)来启动⼀个container。这代表container的process(进程)不会是Docker CLI的child process(⼦进程),⽽是Docker Engine的child process。
Podman是直接给OCI containner runtime(runc)进⾏交互来创建container的,所以container process直接是podman的child process。
因为docke有docker daemon,所以docker启动的容器⽀持--restart策略,但是podman不⽀持,如果在k8s中就不存在这个问题,我们可以设置pod的重启策略,在系统中我们可以采⽤编写systemd服务来完成⾃启动docker需要使⽤root⽤户来创建容器,但是podman不需要
Podman安装和配置加速器
安装Podman
[root@pos.d]# yum -y install podman
Updating Subscription Management repositories.
warning: /var/cache/dnf/base-43708d1174dbbac2/packages/checkpolicy-2.9-1.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 8483c65d: NOKEY
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-libsemanage-2.9-2.el8.x86_64 1/22
Verifying : podman-2.dule_el8.3.0+699+d61d9c41.x86_64 17/22
Verifying : podman-catatonit-2.dule_el8.3.0+699+d61d9c41.x 18/22
Verifying : protobuf-c-1.3.0-4.el8.x86_64 19/22
Complete!
Podman别名
//别名为docker
[root@localhost ~]# alias docker=podman
//确认没有装docker
[root@localhost ~]# rpm -qa|grep docker
//可以使⽤“docker”命令
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 35c43ace9216 2 weeks ago 137 MB
配置加速器
加速器的获取,详情见:
//备份⽂件
[root@localhost ~]# cd /etc/containers/
[root@localhost containers]# ls
certs.d oci policy.json f registries.d f
[root@localhost containers]# f-origin
[root@localhost containers]# ls
certs.d policy.json f-origin f
oci f registries.d
//配置⽂件
#prefix后⾯可以不跟配置,加速器使⽤的是⾃⼰的阿⾥云加速器
[root@localhost containers]# f
unqualified-search-registries = ["docker.io"]
[[registry]]
prefix = "docker.io"
location = "zyva0762.mirror.aliyuncs"
Podman基本命令
podman search 在官⽹搜索镜像
[root@localhost ~]# podman search nginx
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/nginx Official build of Nginx. 14547 [OK]
docker.io docker.io/jwilder/nginx-proxy Automated Nginx reverse proxy for 1982 [OK]
docker.io docker.io/bitnami/nginx Bitnami nginx Docker Image 94 [OK]
podman pull 下载官⽹的镜像,不加版本号默认下载最新版本
[root@localhost ~]# podman pull nginx
Completed short name "nginx" with unqualified-search registries (origin: /etc/f)
Trying to pull docker.io/library/
Getting image source signatures
Copying blob 19e2441aeeab done
Copying blob 8acc495f1d91 done
Copying blob f5a38c5f8d4e done
Copying blob 45b42c59be33 [======================================] 25.8MiB / 25.8MiB
Copying blob ec3bd7de90d7 done
Copying blob 83500d851118 done
Copying config 35c43ace92 done
Writing manifest to image destination
Storing signatures
35c43ace9216212c0f0e546a65eec93fa9fc8e96b25880ee222b7ed2ca1d2151
podman images 查看有哪些镜像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 35c43ace9216 2 weeks ago 137 MB
podman create 创建⼀个容器
#第⼀种⽅式
[root@localhost ~]# podman create docker.io/library/nginx
6c491585fba9de855e425571b919c3bc33bbe2bd7d43097979fc0cd63864297b
#第⼆种⽅式
[root@localhost ~]# podman create nginx
19a2b985132f269556bdfb9b0772e090e25f6fbf16948a08de4867a7b14c011c
podman ps 查看正在运⾏的容器;-a 表⽰所有的容器
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
19a2b985132f docker.io/library/nginx:latest nginx -g 22 seconds ago Created romantic_saha
6c491585fba9 docker.io/library/nginx nginx -g 29 seconds ago Created elegant_elion
podman start 启动容器
[root@localhost ~]# podman start 79c842403792
79c842403792
#查看正在运⾏的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
79c842403792 docker.io/library/nginx:latest nginx -g 50 seconds ago Up 22 seconds ago vigorous_newton
podman stop 停⽌容器运⾏
[root@localhost ~]# podman stop 79c842403792
79c8424037921370db4b12473dac4d5f5a899d5bd0deb510743d4e7fe6a07839
#查看正在运⾏的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
podman restart 重启容器
[root@localhost ~]# podman restart 79c842403792
79c8424037921370db4b12473dac4d5f5a899d5bd0deb510743d4e7fe6a07839
#查看正在运⾏的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
79c842403792 docker.io/library/nginx:latest nginx -g 5 minutes ago Up 3 seconds ago vigorous_newton
podman rm 删除⼀个容器,不能删除正在运⾏的容器;-f可以删除正在运⾏的容器;rmi删除镜像
#查看正在运⾏的容器
curl是什么命令
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
79c842403792 docker.io/library/nginx:latest nginx -g 6 minutes ago Up About a minute ago vigorous_newton
#删除容器报错
[root@localhost ~]# podman rm 79c842403792
Error: cannot remove container 79c8424037921370db4b12473dac4d5f5a899d5bd0deb510743d4e7fe6a07839 as it is running - running or paused containers cannot be removed without force: container state improper #强制删除
[root@localhost ~]# podman rm -f 79c842403792
79c8424037921370db4b12473dac4d5f5a899d5bd0deb510743d4e7fe6a07839
#停⽌运⾏
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
podman run 直接运⾏⼀个容器;-d在后台运⾏
#运⾏⼀个容器
[root@localhost ~]# podman run nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.f
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.f
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/
docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
#打开新终端,查看正在运⾏的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1a2defb333e2 docker.io/library/nginx:latest nginx -g 23 seconds ago Up 23 seconds ago dazzling_perlman
#-d在后台运⾏
[root@localhost ~]# podman run -d nginx
966417eedde4e21a7216a7a5126069431fa0e5f3bd0abdea6d94a16520acd24e
podman logs 查看容器⽇志
[root@localhost ~]# podman logs 966417eedde4
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.f
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.f
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
#在⼀台终端上访问IP
[root@localhost ~]# curl 10.88.0.5
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="/"&</a>.<br/>
Commercial support is available at
<a href="nginx/">nginx</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
#⽇志已更新
[root@localhost ~]# podman logs 966417eedde4
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.f
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.f
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
10.88.0.1 - - [10/Mar/2021:11:11:01 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.61.1" "-"
podman inspect 查看容器的各种信息
[root@localhost ~]# podman inspect 966417eedde4
#查看IP
"EndpointID": "",
"Gateway": "10.88.0.1",
"IPAddress": "10.88.0.5",
"IPPrefixLen": 16,
podman attach 进⼊到容器的同⼀个位置,执⾏操作的时候,另外⼀边的终端⾥的容器也会显⽰同样操作,类似”镜像“#运⾏⼀个容器
[root@localhost ~]# podman run -d --rm nginx
cfbfa482d627e4355b5dba7db1e9f7e872c5964501f872595ef44edd0f10be7a
#查看正在运⾏的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cfbfa482d627 docker.io/library/nginx:latest nginx -g 4 seconds ago Up 4 seconds ago cranky_buck #打开⼀个新终端进⼊容器
[root@localhost ~]# podman attach cfbfa482d627
10.88.0.1 - - [10/Mar/2021:16:18:02 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.61.1" "-"
#在之前的终端上访问容器的IP
[root@localhost ~]# curl 10.88.0.6
<!DOCTYPE html>
<html>
<title>Welcome to nginx!</title>
</html>
#发现在新终端中的容器⾥⾯显⽰了访问的记录
podman exec -it 进⼊容器后⾯加上指令例如:/bin/bash,exit退出时不会删除容器
[root@localhost ~]# podman run -d --rm --name web nginx
0df13a8ec23469f0579aa0ab8bac8d420f54ea9837c8bdd26e23e79715c324bf
[root@localhost ~]# podman exec -it web /bin/bash
root@0df13a8ec234:/# exit
exit
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0df13a8ec234 docker.io/library/nginx:latest nginx -g 24 seconds ago Up 23 seconds ago web podman top 查看容器进程情况
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0df13a8ec234 docker.io/library/nginx:latest nginx -g 8 minutes ago Up 8 minutes ago web #有两个进程
[root@localhost ~]# podman top 0df13a8ec234
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 8m36.093744355s ? 0s nginx: master process nginx -g daemon off;
nginx 27 1 0.000 8m36.093945649s ? 0s nginx: worker process
普通⽤户使⽤的配置
在允许没有root权限的⽤户运⾏Podman之前,管理员必须安装或构建Podman并完成以下配置。
具体步骤:
创建⼀个普通账户
[root@localhost ~]# useradd ldaz
[root@localhost ~]# ll /home/
total 0
drwx------. 2 ldaz ldaz 62 Mar 11 00:45 ldaz
#使⽤ldaz⽤户登录
[root@localhost ~]# su - ldaz
Last login: Thu Mar 11 00:48:26 CST 2021 on pts/0
普通⽤户和root⽤户差异
镜像放的位置不同
#ldaz⽤户
[ldaz@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
#root⽤户
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest b97242f89c8a 8 weeks ago 1.45 MB
docker.io/library/nginx latest f6d0b4767a6c 8 weeks ago 137 MB
启动容器的是互不相关的,运⾏同名的服务,也是互不影响的
#在ldaz⽤户机上创建⼀个容器
[ldaz@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest b97242f89c8a 8 weeks ago 1.45 MB
[ldaz@localhost ~]$ podman run -it busybox
/ # ls
bin dev etc home proc root run sys tmp usr var
/ #
#在root⽤户上是看不到ldaz⽤户机上运⾏的容器的
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cgroup V2⽀持
cgroup V2Linux内核功能允许⽤户限制普通⽤户容器可以使⽤的资源,如果使⽤cgroup V2启⽤了运⾏Podman的Linux发⾏版,则可能需要更改默认的OCI运⾏时。某些较旧的版本runc不适⽤于cgroup V2,必须切换到备⽤OCI运⾏时crun。
⽤于通过在系统级或在任⼀改变⽤于在f⽂件“默认OCI运⾏时”的值的所有命令从runtime = "runc"到runtime = "crun"。
//在root⽤户机中完成下列操作
##安装crun
[root@localhost ~]# yum -y install crun
Installed:
dule_el8.3.0+699+d61d9c41.x86_64 yajl-2.1.0-10.el8.x86_64
Complete!
#取消注释,修改成crun
[root@localhost ~]# vim /usr/share/f
# Default OCI runtime
#
runtime = "crun"
#启动⼀个容器查看⼀下
[root@localhost ~]# podman run -d --rm nginx
300a7a6bff3ad3bc9c460536bc482ca673d986a6fc48f008fa67086a3106eeb0
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
300a7a6bff3a docker.io/library/nginx:latest nginx -g 8 seconds ago Up 8 seconds ago vibrant_einstein
#过滤crun查看⼀下
[root@localhost ~]# podman inspect 300a7a6bff3a|grep crun
"OCIRuntime": "crun",
"crun",
安装slirp4netns
提供⽤户模式⽹络,并且必须安装上才能使Podman在普通⽤户环境中运⾏
[root@localhost ~]# yum -y install slirp4netns
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository AppStream is listed more than once in the configuration
Last metadata expiration check: 0:56:18 ago on Thu 11 Mar 2021 12:23:46 AM CST.
Package slirp4netns-1.dule_el8.3.0+699+d61d9c41.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@localhost ~]# c
slirp4netns-1.dule_el8.3.0+699+d61d9c41.x86_64
安装fuse-overlayfs
在普通⽤户环境中使⽤Podman时,建议使⽤fuse-overlayfs⽽不是VFS⽂件系统,⾄少需要版本0.7.6
[root@localhost ~]# yum -y install fuse-overlayfs
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository AppStream is listed more than once in the configuration
Last metadata expiration check: 0:58:28 ago on Thu 11 Mar 2021 12:23:46 AM CST.
Package fuse-overlayfs-1.dule_el8.3.0+699+d61d9c41.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@localhost ~]# rpm -qa|grep fuse-overlayfs
fuse-overlayfs-1.dule_el8.3.0+699+d61d9c41.x86_64
配置f⽂件
[root@localhost ~]# vim /etc/f
# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
#取消下⾯这⾏的注释
mount_program = "/usr/bin/fuse-overlayfs"
配置/etc/subuid和/etc/subgid
Podman要求运⾏它的⽤户在/ etc / subuid和/ etc / subgid⽂件中列出⼀系列UID,shadow-utils或newuid包提供这些⽂件
[root@localhost ~]# yum -y install shadow
使⽤允许每个⽤户创建类似于以下内容的容器的字段来更新/etc/subuid和/etc /subgid的字段。请注意,每个⽤户的值必须唯⼀且没有任何重叠。如果存在重叠,则⽤户有可能使⽤其他⼈的命名空间,并且他们可能破坏该命名空间
[root@localhost ~]# cat /etc/subuid
ldaz:100000:65536
[root@localhost ~]# useradd ldz
[root@localhost ~]# cat /etc/subuid
ldaz:100000:65536
ldz:165536:65536
该⽂件的格式为 USERNAME:UID:RANGE
在/etc/passwd或getpwent中列出的⽤户名。
为⽤户分配的初始uid。
为⽤户分配的UID范围的⼤⼩。
⽤户配置⽂件
根⽬录的Podman配置⽂件位于中,/usr/share/containers并带有覆盖/etc/containers。在⽆根环境中,它们${XDG_CONFIG_HOME}/containers通常位于,~/.config/containers并由每个⽤户拥有。
三个主要的配置⽂件是,和。⽤户可以根据需要修改这些⽂件。
/usr/share/f
/etc/f
$HOME/.config/f
如果它们以该顺序存在。每个⽂件都可以覆盖特定字段的先前⽂件。
/etc/f
$HOME/.config/f
在普通⽤户机中,/etc/f中某些字段将被忽略。这些字段是:
graphroot=""
container storage graph dir (default: "/var/lib/containers/storage")
Default directory to store all writable content created by container storage programs.
runroot=""
container storage run dir (default: "/run/containers/storage")
Default directory to store all temporary writable content created by container storage programs.
在普通⽤户中,这些字段默认为
graphroot="$HOME/.local/share/containers/storage"
runroot="$XDG_RUNTIME_DIR/containers"
配置按此顺序读⼊,这些⽂件不是默认创建的,可以从/usr/share/containers或复制⽂件/etc/containers并进⾏修改。
/etc/f
/etc/containers/registries.d/*
HOME/.config/f
使⽤卷
⽆根的Podman不是现在,也永远不会是根。它不是setuid⼆进制⽂件,并且在运⾏时不会获得任何特权。取⽽代之的是,Podman利⽤⽤户名称空间来转移其所在主机的⽤户块(通过newuidmap和newgidmap可执⾏⽂件)以及您⾃⼰的⽤户(在Podman创建的容器内)的⽤户块的UID和GID。
如果您的容器与root⽤户⼀起运⾏,则root容器中的⽤户实际上就是主机上的⽤户。UID / GID 1是在/etc/subuid和/etc/subgid等中⽤户映射中指定的第⼀个UID / GID 。如果您以⽆根⽤户的⾝份从主机⽬录挂载到容器中,并在该⽬录中以根⽤户⾝份创建⽂件,则您会看到它实际上是您的⽤户在主机上拥有的。
演⽰如下:
##在普通⽤户机上完成操作
[ldaz@localhost ~]$ whoami
ldaz
[ldaz@localhost ~]$ ls
[ldaz@localhost ~]$ mkdir leidazhuang
[ldaz@localhost ~]$ ls
leidazhuang
[ldaz@localhost ~]$ ll
total 0
drwxrwxr-x. 2 ldaz ldaz 6 Mar 11 01:46 leidazhuang
[ldaz@localhost ~]$ podman run -it --rm -v /home/ldaz/leidazhuang:/data:Z busybox /bin/sh
/ # ls
bin data dev etc home proc root run sys tmp usr var
/ # cd data/
/data # touch abc
/data # ls
abc
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论