• podman安装,普通用户配置


    Podman简介

    Podman是一个开源项目,可在大多数Linux平台上使用并开源在GitHub上。Podman是一个无守护进程的容器引擎,用于在Linux系统上开发,管理和运行Open Container Initiative(OCI)容器和容器镜像。Podman提供了一个与Docker兼容的命令行前端,它可以简单地作为Docker cli,简单地说你可以直接添加别名:alias docker = podman来使用podman。

    Podman控制下的容器可以由root用户运行,也可以由非特权用户运行。Podman管理整个容器的生态系统,其包括pod,容器,容器镜像,和使用libpod library的容器卷。Podman专注于帮助您维护和修改OCI容器镜像的所有命令和功能,例如拉取和标记。它允许您在生产环境中创建,运行和维护从这些映像创建的容器。

    官方文档

    Podman安装

    这里使用阿里云yum源进行安装

    [root@test ~]# yum -y install podman
    

    配置阿里云镜像加速器

    [root@test ~]# cd /etc/containers/
    [root@test containers]# cp  registries.conf{,.ori}
    [root@test containers]# grep -v "^#"  registries.conf.ori > registries.conf
    
    [root@test containers]# vim  registries.conf
    unqualified-search-registries = ['docker.io']
    
    [[registry]]
    prefix= 'docker.io'
    location= 'xxxxxxxx.mirror.aliyuncs.com'
    

    拉取镜像

    [root@centos ~]# podman pull  nginx
    Completed short name "nginx" with unqualified-search registries (origin: /etc/containers/registries.conf)
    Trying to pull docker.io/library/nginx:latest...
    Getting image source signatures
    Copying blob 7125e4df9063 done  
    Copying blob a076a628af6f done  
    Copying blob f72584a26f32 done  
    Copying blob 0732ab25fa22 done  
    Copying blob d7f36f6fe38f done  
    Copying config f6d0b4767a done  
    Writing manifest to image destination
    Storing signatures
    f6d0b4767a6c466c178bf718f99bea0d3742b26679081e52dbf8e0c7c4c42d74
    

    运行容器

    [root@centos ~]# podman run  -d  --name t1 -p 80 docker.io/library/nginx
    a4034b8e031fca278f953b6bc173b9f2734f9740a65ec2cc3b371695d962415e
    [root@centos ~]# podman ps
    CONTAINER ID  IMAGE                    COMMAND               CREATED        STATUS            PORTS                  NAMES
    a4034b8e031f  docker.io/library/nginx  nginx -g daemon o...  6 seconds ago  Up 6 seconds ago  0.0.0.0:42447->80/tcp  t1
    
    #-l 查看最新的容器信息
    [root@centos ~]# podman inspect -l
    ......................
    "NetworkSettings": {
                "EndpointID": "",
                "Gateway": "10.88.0.1",
                "IPAddress": "10.88.0.3",
                "IPPrefixLen": 16,
    ......................
    
    [root@centos ~]# curl 192.168.248.133:42447
    <!DOCTYPE html>
    <html>
    <head>
    <title>Welcome to nginx!</title>
    <style>
        body {
             35em;
            margin: 0 auto;
            font-family: Tahoma, Verdana, Arial, sans-serif;
        }
    </style>
    ............................................................
    

    podman logs查看容器日志

    [root@centos ~]# podman logs  -l
    /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
    /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
    /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
    10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
    10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
    /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
    /docker-entrypoint.sh: Configuration complete; ready for start up
    

     pod top <container_id>产看容器pid

    [root@centos ~]# podman top t1
    USER    PID   PPID   %CPU    ELAPSED            TTY   TIME   COMMAND
    root    1     0      0.000   11m48.116689309s   ?     0s     nginx: master process nginx -g daemon off; 
    nginx   28    1      0.000   11m47.116736194s   ?     0s     nginx: worker process
    

    镜像的上传

    [root@centos ~]# podman login
    root@centos ~]# podman tag docker.io/library/nginx:latest   diqiyao/test:nginx
    [root@centos ~]# podman  push  diqiyao/test:nginx
    

    普通用户使用的配置

    在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置

    cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,必须切换到备用OCI运行时crun。

    [root@centos ~]# yum  -y install crun
    

     可以使用--runtime选项在命令行中打开对cgroup V2的替代OCI运行时支持

    podman  --runtime crun
    

     也可以修改containers.conf文件runtime = "runc"runtime = "crun"

    [root@centos ~]# vim /usr/share/containers/containers.conf
    ......................
    # volume_path = "/var/lib/containers/storage/volumes"
    
    # Default OCI runtime
    #
     runtime = "crun"
    
    # List of the OCI runtimes that support --format=json.  When json is supported
    # engine will use it for reporting nicer errors.
    #
    # runtime_supports_json = ["crun", "runc", "kata"]
    ...................................
    
    [root@centos ~]# podman start t1
    [root@centos ~]# podman inspect t1 | grep runc
            "OCIRuntime": "runc",
                "runc",
    

    安装slirp4netns

    slirp4nets包为普通用户提供一种网络模式

    [root@centos ~]# yum -y install slirp4netns
    

    安装fuse-overlayfs

    在普通用户环境中使用Podman时,建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6

    [root@centos ~]# yum -y install fuse-overlayfs
    

     配置storage.conf文件

    [root@centos ~]# vim /etc/containers/storage.conf
    ...................
    # Default Storage Driver
    driver = "overlay"
    ................
    .................
    mount_program = "/usr/bin/fuse-overlayfs"
    .........................
    

    / etc / subuid和/ etc / subgid配置

    Podman要求运行它的用户在/ etc / subuid和/ etc / subgid文件中列出一系列UID,shadow-utilsnewuid包提供这些文件

    [root@centos ~]# yum -y install shadow-utils
    

     可以在/ etc / subuid和/ etc / subgid查看,每个用户的值必须唯一且没有任何重叠。

    [root@centos ~]# cat /etc/subuid
    txx:100000:65536
    [root@centos ~]# useradd test
    [root@centos ~]# cat /etc/subuid
    txx:100000:65536
    test:165536:65536
    

     该文件的格式为USERNAME:UID:RANGE

    • 在/ etc / passwd或getpwent中列出的用户名。
    • 为用户分配的初始uid。
    • 为用户分配的UID范围的大小

    用户的配置文件

    三个主要的配置文件是container.confstorage.confregistries.conf用户可以根据需要修改这些文件。

    container.conf

    Podman读取时

     1. /usr/share/containers/containers.conf
     2. /etc/containers/containers.conf
     3.$HOME/.config/containers/containers.conf
    

    如果它们以该顺序存在。每个文件都可以覆盖特定字段的先前文件。

    storage.conf

    对于storge.conf则是

    1./etc/containers/storage.conf
    2.$HOME/.config/containers/storage.conf
    

     在普通用户中/etc/containers/storage.conf的一些字段将被忽略

    graphroot=""
     container storage graph dir (default: "/var/lib/containers/storage")
     Default directory to store all writable content created by container storage programs.
    
    runroot=""
     container storage run dir (default: "/run/containers/storage")
     Default directory to store all temporary writable content created by container storage programs.
    

     在普通用户中这些字段默认

    graphroot="$HOME/.local/share/containers/storage"
    runroot="$XDG_RUNTIME_DIR/containers"
    

     registries.conf

    配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers复制文件/etc/containers并进行修改。

    1./etc/containers/registries.conf
    2./etc/containers/registries.d/*
    3.HOME/.config/containers/registries.conf
    

     授权文件

    podman login 登录,默认授权文件位于中${XDG_RUNTIME_DIR}/containers/auth.json

    [root@centos ~]# podman login
    Username: diqiyao
    Password: 
    Login Succeeded!
    [root@centos ~]# cat /run/user/0/containers/auth.json 
    {
    	"auths": {
    		"docker.io": {
    ..................................
    ...............................
    

     使用卷

    容器与root用户一起运行,则root容器中的用户实际上就是主机上的用户。UID / GID 1是在/etc/subuid/etc/subgid等中用户映射中指定的第一个UID / GID 。如果普通用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则会看到它实际上是你的用户在主机上拥有的。

    [root@centos ~]# su - test
    [test@centos ~]$ whoami 
    test
    [test@centos ~]$ pwd
    /home/test
    [test@centos ~]$ mkdir test
    
    [test@centos ~]$ podman  run  -it --name t0 -v "$(pwd)"/test:/xxxxx busybox /bin/sh
    / # ls
    bin    dev    etc    home   proc   root   run    sys    tmp    usr    var    xxxxx
    / # touch xxxxx/abc
    / # ll xxxxx/abc 
    / # ls  -l xxxxx/abc 
    -rw-r--r--    1 root     root             0 Mar 10 23:05 xxxxx/abc
    / # exit
    
    [test@centos ~]$ ls -l
    total 0
    drwxrwxr-x 2 test test 17 Mar 11 07:05 test
    

     --userns=keep-id标志,以确保用户被映射到容器内自己的UID和GID。

    [test@centos ~]$ podman  run  -it --name t1 -v "$(pwd)"/test:/xxxxx --userns=keep-id  busybox /bin/sh
    ~ $ touch xxxxx/bcd
    ~ $ ls -l xxxxx/
    total 0
    -rw-r--r--    1 test     test             0 Mar 10 23:05 abc
    -rw-r--r--    1 test     test             0 Mar 10 23:10 bcd
    ~ $ exit
    [test@centos ~]$ ll test/
    total 0
    -rw-r--r-- 1 test test 0 Mar 11 07:05 abc
    -rw-r--r-- 1 test test 0 Mar 11 07:10 bcd
    

    使用普通用户映射容器端口时会报“ permission denied”的错误

    [test@centos ~]$ podman  run  --name nginx  -d  -p 80:80 nginx
    Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied
    

     可以映射>= 1024的端口

    [test@centos ~]$ podman  run  --name nginx  -d  -p 1024:80 nginx
    694258f5d83268e78015eb5d39c86913fb2ed2550a3edfe30613ee02cd11a804
    [test@centos ~]$ podman ps
    CONTAINER ID  IMAGE                           COMMAND               CREATED        STATUS            PORTS               NAMES
    694258f5d832  docker.io/library/nginx:latest  nginx -g daemon o...  9 seconds ago  Up 8 seconds ago  0.0.0.0:1024->80/tcpnginx
    

     配置echo  'net.ipv4.ip_unprivileged_port_start=80'  >> /etc/sysctl.conf

    [root@centos ~]# echo  'net.ipv4.ip_unprivileged_port_start=80'  >> /etc/sysctl.conf
    [root@centos ~]# sysctl -p
    
    test@centos ~]$ podman  run  --name nginx1  -d  -p 80:80 nginx
    c99e240ccd6a7e3c089a6e0d4d74149195cd6b28e1b170ae0e59fda3a4f4120d
    [test@centos ~]$ podman ps
    CONTAINER ID  IMAGE                           COMMAND               CREATED        STATUS            PORTS                 NAMES
    c99e240ccd6a  docker.io/library/nginx:latest  nginx -g daemon o...  9 seconds ago  Up 9 seconds ago  0.0.0.0:80->80/tcp    nginx1
    
  • 相关阅读:
    「NOTE」支配树
    「SOL」支配 (2021省选A卷)
    「SOL」矩阵游戏 (2021省选A卷)
    「SOL」最差记者2 (LOJ / JOISC2016)
    「SOL」Nondivisible Prefix Sums(AtCoder)
    「SOL」Spaceship(LOJ/USACO)
    「NOTE」可持久化非旋Treap
    「SOL」事情的相似度(LOJ)
    FTP(File Transfer Protocol)——文件传输协议详解
    DHCP(Dynamic Host Configutation Protocol)——动态主机配置协议详解
  • 原文地址:https://www.cnblogs.com/diqiyao/p/14513647.html
Copyright © 2020-2023  润新知