Podman简介
Podman是一个开源项目,可在大多数Linux平台上使用并开源在GitHub上。Podman是一个无守护进程的容器引擎,用于在Linux系统上开发,管理和运行Open Container Initiative(OCI)容器和容器镜像。Podman提供了一个与Docker兼容的命令行前端,它可以简单地作为Docker cli,简单地说你可以直接添加别名:alias docker = podman来使用podman。
Podman控制下的容器可以由root用户运行,也可以由非特权用户运行。Podman管理整个容器的生态系统,其包括pod,容器,容器镜像,和使用libpod library的容器卷。Podman专注于帮助您维护和修改OCI容器镜像的所有命令和功能,例如拉取和标记。它允许您在生产环境中创建,运行和维护从这些映像创建的容器。
Podman安装
这里使用阿里云yum源进行安装
[root@test ~]# yum -y install podman
配置阿里云镜像加速器
[root@test ~]# cd /etc/containers/ [root@test containers]# cp registries.conf{,.ori} [root@test containers]# grep -v "^#" registries.conf.ori > registries.conf [root@test containers]# vim registries.conf unqualified-search-registries = ['docker.io'] [[registry]] prefix= 'docker.io' location= 'xxxxxxxx.mirror.aliyuncs.com'
拉取镜像
[root@centos ~]# podman pull nginx Completed short name "nginx" with unqualified-search registries (origin: /etc/containers/registries.conf) Trying to pull docker.io/library/nginx:latest... Getting image source signatures Copying blob 7125e4df9063 done Copying blob a076a628af6f done Copying blob f72584a26f32 done Copying blob 0732ab25fa22 done Copying blob d7f36f6fe38f done Copying config f6d0b4767a done Writing manifest to image destination Storing signatures f6d0b4767a6c466c178bf718f99bea0d3742b26679081e52dbf8e0c7c4c42d74
运行容器
[root@centos ~]# podman run -d --name t1 -p 80 docker.io/library/nginx a4034b8e031fca278f953b6bc173b9f2734f9740a65ec2cc3b371695d962415e [root@centos ~]# podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a4034b8e031f docker.io/library/nginx nginx -g daemon o... 6 seconds ago Up 6 seconds ago 0.0.0.0:42447->80/tcp t1 #-l 查看最新的容器信息 [root@centos ~]# podman inspect -l ...................... "NetworkSettings": { "EndpointID": "", "Gateway": "10.88.0.1", "IPAddress": "10.88.0.3", "IPPrefixLen": 16, ...................... [root@centos ~]# curl 192.168.248.133:42447 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> ............................................................
podman logs查看容器日志
[root@centos ~]# podman logs -l /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf 10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh /docker-entrypoint.sh: Configuration complete; ready for start up
pod top <container_id>产看容器pid
[root@centos ~]# podman top t1 USER PID PPID %CPU ELAPSED TTY TIME COMMAND root 1 0 0.000 11m48.116689309s ? 0s nginx: master process nginx -g daemon off; nginx 28 1 0.000 11m47.116736194s ? 0s nginx: worker process
镜像的上传
[root@centos ~]# podman login root@centos ~]# podman tag docker.io/library/nginx:latest diqiyao/test:nginx [root@centos ~]# podman push diqiyao/test:nginx
普通用户使用的配置
在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置
cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc
不适用于cgroup V2,必须切换到备用OCI运行时crun。
[root@centos ~]# yum -y install crun
可以使用--runtime
选项在命令行中打开对cgroup V2的替代OCI运行时支持
podman --runtime crun
也可以修改containers.conf文件runtime = "runc"
到runtime = "crun"
[root@centos ~]# vim /usr/share/containers/containers.conf ...................... # volume_path = "/var/lib/containers/storage/volumes" # Default OCI runtime # runtime = "crun" # List of the OCI runtimes that support --format=json. When json is supported # engine will use it for reporting nicer errors. # # runtime_supports_json = ["crun", "runc", "kata"] ................................... [root@centos ~]# podman start t1 [root@centos ~]# podman inspect t1 | grep runc "OCIRuntime": "runc", "runc",
安装slirp4netns
slirp4nets包为普通用户提供一种网络模式
[root@centos ~]# yum -y install slirp4netns
安装fuse-overlayfs
在普通用户环境中使用Podman时,建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6。
[root@centos ~]# yum -y install fuse-overlayfs
配置storage.conf
文件
[root@centos ~]# vim /etc/containers/storage.conf ................... # Default Storage Driver driver = "overlay" ................ ................. mount_program = "/usr/bin/fuse-overlayfs" .........................
/ etc / subuid和/ etc / subgid配置
Podman要求运行它的用户在/ etc / subuid和/ etc / subgid文件中列出一系列UID,shadow-utils
或newuid
包提供这些文件
[root@centos ~]# yum -y install shadow-utils
可以在/ etc / subuid和/ etc / subgid查看,每个用户的值必须唯一且没有任何重叠。
[root@centos ~]# cat /etc/subuid txx:100000:65536 [root@centos ~]# useradd test [root@centos ~]# cat /etc/subuid txx:100000:65536 test:165536:65536
该文件的格式为USERNAME:UID:RANGE
- 在/ etc / passwd或getpwent中列出的用户名。
- 为用户分配的初始uid。
- 为用户分配的UID范围的大小
用户的配置文件
三个主要的配置文件是container.conf,storage.conf和registries.conf。用户可以根据需要修改这些文件。
container.conf
Podman读取时
1. /usr/share/containers/containers.conf 2. /etc/containers/containers.conf 3.$HOME/.config/containers/containers.conf
如果它们以该顺序存在。每个文件都可以覆盖特定字段的先前文件。
storage.conf
对于storge.conf则是
1./etc/containers/storage.conf 2.$HOME/.config/containers/storage.conf
在普通用户中/etc/containers/storage.conf的一些字段
将被忽略
graphroot="" container storage graph dir (default: "/var/lib/containers/storage") Default directory to store all writable content created by container storage programs. runroot="" container storage run dir (default: "/run/containers/storage") Default directory to store all temporary writable content created by container storage programs.
在普通用户中这些字段默认
graphroot="$HOME/.local/share/containers/storage" runroot="$XDG_RUNTIME_DIR/containers"
registries.conf
配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers
或复制文件/etc/containers
并进行修改。
1./etc/containers/registries.conf 2./etc/containers/registries.d/* 3.HOME/.config/containers/registries.conf
授权文件
podman login 登录,默认授权文件位于中${XDG_RUNTIME_DIR}/containers/auth.json
[root@centos ~]# podman login Username: diqiyao Password: Login Succeeded! [root@centos ~]# cat /run/user/0/containers/auth.json { "auths": { "docker.io": { .................................. ...............................
使用卷
容器与root用户一起运行,则root
容器中的用户实际上就是主机上的用户。UID / GID 1是在/etc/subuid
和/etc/subgid
等中用户映射中指定的第一个UID / GID 。如果普通用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则会看到它实际上是你的用户在主机上拥有的。
[root@centos ~]# su - test [test@centos ~]$ whoami test [test@centos ~]$ pwd /home/test [test@centos ~]$ mkdir test [test@centos ~]$ podman run -it --name t0 -v "$(pwd)"/test:/xxxxx busybox /bin/sh / # ls bin dev etc home proc root run sys tmp usr var xxxxx / # touch xxxxx/abc / # ll xxxxx/abc / # ls -l xxxxx/abc -rw-r--r-- 1 root root 0 Mar 10 23:05 xxxxx/abc / # exit [test@centos ~]$ ls -l total 0 drwxrwxr-x 2 test test 17 Mar 11 07:05 test
--userns=keep-id
标志,以确保用户被映射到容器内自己的UID和GID。
[test@centos ~]$ podman run -it --name t1 -v "$(pwd)"/test:/xxxxx --userns=keep-id busybox /bin/sh ~ $ touch xxxxx/bcd ~ $ ls -l xxxxx/ total 0 -rw-r--r-- 1 test test 0 Mar 10 23:05 abc -rw-r--r-- 1 test test 0 Mar 10 23:10 bcd ~ $ exit [test@centos ~]$ ll test/ total 0 -rw-r--r-- 1 test test 0 Mar 11 07:05 abc -rw-r--r-- 1 test test 0 Mar 11 07:10 bcd
使用普通用户映射容器端口时会报“ permission denied”的错误
[test@centos ~]$ podman run --name nginx -d -p 80:80 nginx Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied
可以映射>= 1024的端口
[test@centos ~]$ podman run --name nginx -d -p 1024:80 nginx 694258f5d83268e78015eb5d39c86913fb2ed2550a3edfe30613ee02cd11a804 [test@centos ~]$ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 694258f5d832 docker.io/library/nginx:latest nginx -g daemon o... 9 seconds ago Up 8 seconds ago 0.0.0.0:1024->80/tcpnginx
配置echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf
[root@centos ~]# echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf [root@centos ~]# sysctl -p test@centos ~]$ podman run --name nginx1 -d -p 80:80 nginx c99e240ccd6a7e3c089a6e0d4d74149195cd6b28e1b170ae0e59fda3a4f4120d [test@centos ~]$ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c99e240ccd6a docker.io/library/nginx:latest nginx -g daemon o... 9 seconds ago Up 9 seconds ago 0.0.0.0:80->80/tcp nginx1