podman
Podman 官网地址:https://podman.io/
Podman 项目地址:https://github.com/containers/podman
podman定义
podman是非守护进程,开源,令他更加容易查找.安装.运行.创建原生linux工具,用OCI分享和部署。
podman提供的命令行对熟悉docker服务的人会非常亲切,大多数用户能通过alias定义别名来使用podman命令而不会有任何问题
和其他通用容器引擎一样,podman依赖符合OCI标准的Container Runtime (runc, crun, runv, etc) 来连接操作系统和创建容器,使得 Podman 创建的运行容器与任何其他常见容器引擎创建的容器几乎无法区分
容器既可以被根用户运行也可以被非特权用户运行,podman通过使用libpod library管理整个容器生态系统:包括pods,容器,镜像和容器卷。podman特化了所有的命令和功能来帮助你维护和修改OCI容器镜像,比如拉取和标记。他允许你在生产环境创建,运行,维护容器和容器镜像。
由于没有daemon守护进程,podman不支持restart(重启)
根用户和非根用户二者的仓库镜像相互独立互不干涉
安装
- yum安装,如果有docker,建议先卸载再安装
[root@node5 ~]# yum -y install podman
- yum安装podman-compose
[root@node5 ~]# yum -y install python38-pip-19.3.1-1.module_el8.3.0+441+3b561464.noarch
[root@node5 ~]# pip3 install podman-compose
[root@node5 ~]# podman-compose -v
- 国内加速设置
[root@node5 containers]# vim registries.conf
unqualified-search-registries = ["docker.io"] //镜像仓库地址,这里只用io
[[registry]]
prefix = ""
location = "https://xxx.mirror.aliyuncs.com" //加速器地址
相关命令
- 查看版本
[root@node5 ~]# podman -v
podman version 2.2.1
- 查看信息
[root@node5 ~]# podman info
host:
arch: amd64
buildahVersion: 1.18.0
cgroupManager: systemd
cgroupVersion: v1
...
- 拉取镜像
[root@node5 ~]# podman pull nginx
Completed short name "nginx" with unqualified-search registries (origin: /etc/containers/registries.conf)
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob a076a628af6f done
Copying blob d7f36f6fe38f done
Copying blob f72584a26f32 done
Copying blob 7125e4df9063 done
Copying blob 0732ab25fa22 done
Copying config f6d0b4767a done
Writing manifest to image destination
Storing signatures
f6d0b4767a6c466c178bf718f99bea0d3742b26679081e52dbf8e0c7c4c42d74
[root@node5 ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f6d0b4767a6c 8 weeks ago 137 MB
- 启动容器
[root@node5 ~]# podman run -td -p 80:80 --name web --rm nginx
0f14054d88c0573aaa818aa60d88b2680e7dd2a5a7c2a220c2145d129a352f38
- 查看容器信息
[root@node5 ~]# podman inspect web |grep IPAddress //过滤ip地址
"IPAddress": "10.88.0.2",
- 查看容器进程
[root@node5 ~]# podman top web
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 1m25.10053045s pts/0 0s nginx: master process nginx -g daemon off;
nginx 29 1 0.000 1m25.100762977s pts/0 0s nginx: worker process
- checkpoint (类似虚拟机快照)
[root@node5 ~]# podman container checkpoint web
- restore(类似恢复快照)
[root@node5 ~]# podman container restore web
- 管理标签
[root@node5 ~]# podman untag docker.io/library/nginx:latest
- 通过生成服务文件使systemctl控制容器自启动
//运行一个镜像
[root@node5 ~]# podman run -td -p 80:80 --name web f6d0b4767a6c
1ed76173244ae3c63e3f87975945efe897139a1c08cbbbbc03a8306945305f42
//创建user目录
[root@node5 ~]# mkdir -p .config/systemd/user
[root@node5 ~]# ll .config/systemd/user
total 0
[root@node5 ~]# cd .config/systemd/user
//生成服务文件
[root@node5 user]# podman generate systemd --files --name web --new
/root/.config/systemd/user/container-web.service
[root@node5 user]# cat container-web.service
# container-web.service
# autogenerated by Podman 2.2.1
# Thu Mar 11 21:58:55 CST 2021
[Unit]
Description=Podman container-web.service
Documentation=man:podman-generate-systemd(1)
Wants=network.target
After=network-online.target
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
ExecStartPre=/bin/rm -f %t/container-web.pid %t/container-web.ctr-id
ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-web.pid --cidfile %t/container-web.ctr-id --cgroups=no-conmon -d --replace -td -p 80:80 --name web f6d0b4767a6c
ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-web.ctr-id -t 10
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-web.ctr-id
PIDFile=%t/container-web.pid
KillMode=none
Type=forking
[Install]
WantedBy=multi-user.target default.target
//删除镜像
[root@node5 user]# podman rm -f web
//重新载入守护进程设置容器服务开机启动
[root@node5 user]# systemctl --user daemon-reload //非根用户建议加上--user
[root@node5 user]# systemctl --user enable --now container-web.service
//查看容器是否启动
[root@node5 user]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4132f117f807 docker.io/library/nginx:latest nginx -g daemon o... 5 seconds ago Up 4 seconds ago 0.0.0.0:80->80/tcp web
//查看systemctl服务状态
[root@node5 user]# systemctl --user status container-web.service
● container-web.service - Podman container-web.service
Loaded: loaded (/root/.config/systemd/user/container-web.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-03-11 22:06:52 CST; 2min 51s ago
Docs: man:podman-generate-systemd(1)
Process: 3076 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile /run/user/0/container-web.ctr-id (code=exited, status=0/SUCCESS)
Process: 2948 ExecStop=/usr/bin/podman stop --ignore --cidfile /run/user/0/container-web.ctr-id -t 10 (code=exited, status=0/SUCCES>
Process: 3502 ExecStart=/usr/bin/podman run --conmon-pidfile /run/user/0/container-web.pid --cidfile /run/user/0/container-web.ctr->
Process: 3500 ExecStartPre=/bin/rm -f /run/user/0/container-web.pid /run/user/0/container-web.ctr-id (code=exited, status=0/SUCCESS)
Main PID: 3600 (conmon)
Tasks: 2 (limit: 23790)
Memory: 4.0M
CGroup: /user.slice/user-0.slice/user@0.service/container-web.service
└─3600 /usr/bin/conmon --api-version 1 -c 4132f117f8075e36105be82e4c227aac9916aa301429d3054ce862a8908f3e21 -u 4132f117f807>
Mar 11 22:06:51 node5 systemd[1619]: Starting Podman container-web.service...
Mar 11 22:06:52 node5 systemd[1619]: Started Podman container-web.service.
非超级用户podman操作
安装crun
[root@node5 user]# yum -y install crun
修改配置文件
[root@node5 user]# vim /usr/share/containers/containers.conf
...
runtime = "crun"
启动容器查看
[root@node5 user]# podman run --rm -d --name web nginx:latest
0cf6556c6621f95bf4be3d673c148748ec56a97734701f11bcc50d49c1cd2399
[root@node5 user]# podman inspect web|grep OCI*
...
"OCIRuntime": "crun",
"Name": "RLIMIT_NPROC",
安装slirp4netns
[root@node5 user]# yum -y install slirp4netns
安装fuse-overlays
[root@node5 user]# yum -y install fuse-overlayfs
以普通用户启动容器测试
[root@node5 ~]# su - test
Last login: Wed Mar 10 23:24:33 CST 2021 on pts/1
[test@node5 ~]$ id test
uid=1000(test) gid=1000(test) groups=1000(test)
[test@node5 ~]$ podman run -d --rm --name web nginx
Completed short name "nginx" with unqualified-search registries (origin: /etc/containers/registries.conf)
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob a076a628af6f done
Copying blob d7f36f6fe38f done
Copying blob 7125e4df9063 done
Copying blob 0732ab25fa22 done
Copying blob f72584a26f32 done
Copying config f6d0b4767a done
Writing manifest to image destination
Storing signatures
482fa203a7b44566c25830709709806b7a62607e02c4fd4fa95a7a1fa512205f
[test@node5 ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
482fa203a7b4 docker.io/library/nginx:latest nginx -g daemon o... 25 seconds ago Up 24 seconds ago web
登录授权
[test@node5 ~]$ podman login
Username: fxx013
Password:
Login Succeeded!
[root@node5 ~]# find / -name auth.json
/tmp/podman-run-1000/containers/auth.json
推送至网络仓库
[test@node5 ~]$ podman push docker.io/fxx/busybox:v0.1
启用用户名称空间(rhel7)
在大多数Linux平台上,默认情况下是预设的,因此无需进行任何调整。但是,在RHEL7上,具有root权限的用户可能需要使用以下命令将其设置为合理的值:
sysctl user.max_user_namespaces=15000
配置/etc/subuid和/etc/subgid
安装shadow或newuid
[root@node5 user]# yum -y install shadow
[root@node5 user]# yum -y install newuid
使用允许每个用户创建类似于以下内容的容器的字段来更新/etc/subuid和/etc /subgid的字段。请注意,每个用户的值必须唯一且没有任何重叠。如果存在重叠,则用户有可能使用其他人的命名空间,并且他们可能破坏该命名空间。
[root@node5 user]# cat /etc/subuid
test:100000:65536