• podman


    podman简介

    Podman是一个开源项目,可在大多数Linux平台上使用并开源在GitHub上。Podman是一个无守护进程的容器引擎,用于在Linux系统上开发,管理和运行Open Container Initiative(OCI)容器和容器镜像。Podman提供了一个与Docker兼容的命令行前端,它可以简单地作为Docker cli,简单地说你可以直接添加别名:alias docker = podman来使用podman。

    Podman控制下的容器可以由root用户运行,也可以由非特权用户运行。Podman管理整个容器的生态系统,其包括pod,容器,容器镜像,和使用libpod library的容器卷。Podman专注于帮助您维护和修改OCI容器镜像的所有命令和功能,例如拉取和标记。它允许您在生产环境中创建,运行和维护从这些映像创建的容器。

    1. Podman 官网地址:https://podman.io/
    2. Podman 项目地址:https://github.com/containers/libpod


     安装podman

    复制代码
    //配置yum源
    [root@ansible ~]# curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo
    [root@ansible ~]# sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
    [root@ansible ~]# sed  -i 's#\$releasever#8#g'  /etc/yum.repos.d/CentOS-Base.repo
    [root@ansible ~]# yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-8.noarch.rpm
    [root@ansible ~]# sed -i 's|^#baseurl=https://download.fedoraproject.org/pub|baseurl=https://mirrors.aliyun.com|' /etc/yum.repos.d/epel*
    [root@ansible ~]# sed -i 's|^metalink|#metalink|' /etc/yum.repos.d/epel*
    [root@ansible ~]# sed  -i 's#\$releasever#8#g'  /etc/yum.repos.d/epel.repo
    
    //用yum安装podman
    [root@RedHat ~]# yum -y install podman
    复制代码
    复制代码
    //配置加速器
    [root@RedHat containers]# cp registries.conf{,.ori} 
    [root@RedHat containers]# grep -v "^#" registries.conf.ori > registries.conf
    [root@RedHat containers]# vim registries.conf
    
    unqualified-search-registries = ["docker.io"]
      
    [[registry]]
    prefix= 'docker.io'
    location= 'xxxx.mirror.swr.myhuaweicloud.com'
    复制代码
    复制代码
    //podman拉取镜像
    [root@RedHat containers]# podman pull busybox
    Completed short name "busybox" with unqualified-search registries (origin: /etc/containers/registries.conf)
    Trying to pull docker.io/library/busybox:latest...
    Getting image source signatures
    Copying blob e5d9363303dd done  
    Copying config b97242f89c done  
    Writing manifest to image destination
    Storing signatures
    b97242f89c8a29d13aea12843a08441a4bbfc33528f55b60366c1d8f6923d0d4
    [root@RedHat containers]# podman images
    REPOSITORY                 TAG     IMAGE ID      CREATED      SIZE
    docker.io/library/busybox  latest  b97242f89c8a  8 weeks ago  1.45 MB
    复制代码
    //podman查看镜像
    [root@RedHat containers]# podman images
    REPOSITORY                 TAG     IMAGE ID      CREATED      SIZE
    docker.io/library/busybox  latest  b97242f89c8a  8 weeks ago  1.45 MB
    //podman删除镜像
    [root@RedHat containers]# podman rmi docker.io/library/busybox:latest
    Untagged: docker.io/library/busybox:latest
    Deleted: b97242f89c8a29d13aea12843a08441a4bbfc33528f55b60366c1d8f6923d0d4
    复制代码
    //root用户拉取的镜像在其他用户登录宿主机的时候是看不到的
    [root@RedHat ~]# podman images
    REPOSITORY                 TAG     IMAGE ID      CREATED      SIZE
    docker.io/library/busybox  latest  b97242f89c8a  8 weeks ago  1.45 MB
    
    [jerry@RedHat ~]$ id
    uid=1000(jerry) gid=1000(jerry) 组=1000(jerry) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    [jerry@RedHat ~]$ podman images
    REPOSITORY  TAG     IMAGE ID  CREATED  SIZE
    复制代码
    复制代码
    //相反,jerry用户拉取地镜像root也没有
    [jerry@RedHat ~]$ podman pull nginx
    Completed short name "nginx" with unqualified-search registries (origin: /etc/containers/registries.conf)
    Trying to pull docker.io/library/nginx:latest...
    Getting image source signatures
    Copying blob f72584a26f32 done  
    Copying blob a076a628af6f done  
    Copying blob 0732ab25fa22 done  
    Copying blob 7125e4df9063 done  
    Copying blob d7f36f6fe38f done  
    Copying config f6d0b4767a done  
    Writing manifest to image destination
    Storing signatures
    f6d0b4767a6c466c178bf718f99bea0d3742b26679081e52dbf8e0c7c4c42d74
    [jerry@RedHat ~]$ podman images
    REPOSITORY               TAG     IMAGE ID      CREATED      SIZE
    docker.io/library/nginx  latest  f6d0b4767a6c  8 weeks ago  137 MB
    
    [root@RedHat ~]# podman images
    REPOSITORY                 TAG     IMAGE ID      CREATED      SIZE
    docker.io/library/busybox  latest  b97242f89c8a  8 weeks ago  1.45 MB
    复制代码
    复制代码
    //在jerry用户中创建的容器在root里看不到
    [jerry@RedHat ~]$ podman run -it nginx /bin/sh
    # ls
    bin   dev           docker-entrypoint.sh  home  lib64  mnt  proc  run   srv  tmp  var
    boot  docker-entrypoint.d  etc             lib   media  opt  root  sbin  sys  usr
    # exit   
    [jerry@RedHat ~]$ podman ps -a
    CONTAINER ID  IMAGE                           COMMAND  CREATED         STATUS                    PORTS   NAMES
    f7281ca4a884  docker.io/library/nginx:latest  /bin/sh  47 seconds ago  Exited (0) 5 seconds ago          practical_liskov
    
    
    [root@RedHat ~]# podman ps -a
    CONTAINER ID  IMAGE   COMMAND  CREATED  STATUS  PORTS   NAMES
    复制代码
    复制代码
    //当root和jerry都创建容器名为web 此时两个容器是非会冲突呢?
    [root@RedHat ~]# podman run -it --rm --name web busybox
    / # ls
    bin   dev   etc   home  proc  root  run   sys   tmp   usr   var
    
    [root@RedHat ~]# podman ps
    CONTAINER ID  IMAGE                             COMMAND  CREATED         STATUS             PORTS   NAMES
    fc0b452940fd  docker.io/library/busybox:latest  sh       16 seconds ago  Up 15 seconds ago          web
    
    [jerry@RedHat ~]$ podman run -it --rm --name web busybox
    / # ls
    bin   dev   etc   home  proc  root  run   sys   tmp   usr   var
    
    [jerry@RedHat ~]$ podman ps
    CONTAINER ID  IMAGE                             COMMAND  CREATED         STATUS             PORTS   NAMES
    5294a0e55a83  docker.io/library/busybox:latest  sh       20 seconds ago  Up 19 seconds ago          web
    
    //如此可见,不同用户创建的容器是互相隔离的,并不会相互影响
    复制代码
    复制代码
    //如果你想用普通用户创建容器并且映射容器80到本机80端口的话
    [jerry@RedHat ~]$ podman run -it --rm --name web1 -p 80:80 busybox
    Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied
    
    //很显然失败了,但是你可以吧端口数字调成大于等于1024,例如
    [jerry@RedHat ~]$ podman run -it --rm --name web1 -p 2000:80 busybox
    / # ls
    bin   dev   etc   home  proc  root  run   sys   tmp   usr   var
    
    [jerry@RedHat ~]$ podman ps
    CONTAINER ID  IMAGE                             COMMAND  CREATED        STATUS            PORTS                 NAMES
    f529b49fb389  docker.io/library/busybox:latest  sh       7 seconds ago  Up 6 seconds ago  0.0.0.0:2000->80/tcp  web1
    复制代码

    cgroup V2支持

    cgroup V2 Linux内核功能允许用户限制无根容器可以使用的资源量。如果使用cgroup V2启用了运行Podman的Linux发行
    版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,您可能必须切换到备用0CI运行时
    crun。
    也可以使用以下-- runtime选项在命令行中打开对cgroup V2的替代OCI运行时支持:

    podman -- runtime C run
    //我们使用yum安装crun
    [root@RedHat ~]# yum -y install crun

    cgroup V2 Linux内核功能允许用户限制无根容器可以使用的资源量。如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,您可能必须切换到备用OCI运行时crun

    用于通过在系统级或在任一改变用于在containers.conf文件“默认OCI运行时”的值的所有命令用户级别runtime = "runc"runtime = "crun"

     

    复制代码
    //取消注释并且修改
    [root@RedHat containers]# vim /usr/share/containers/containers.conf 
    
     runtime = "crun"
    
    [root@RedHat containers]# podman run -it --rm --name web1 busybox
    
    [root@RedHat ~]# podman inspect web1|grep crun
            "OCIRuntime": "crun",
                "crun",
    复制代码

    使用普通用户创建容器会发现容器内容器外UID不一致

    复制代码
    [jerry@RedHat ~]$ mkdir 123
    [jerry@RedHat ~]$ podman run -it --rm -v /home/jerry/123:/data busybox /bin/sh
    / # cd data/
    /data # touch abc
    /data # ls -l
    total 0
    -rw-r--r--    1 root     root             0 Mar 10 22:17 abc
    
    /data # exit
    [jerry@RedHat ~]$ cd 123/
    [jerry@RedHat 123]$ ll
    总用量 0
    -rw-r--r--. 1 jerry jerry 0 3月  11 06:17 abc
    [jerry@RedHat 123]$ 
    复制代码

    为了使UID保持一致,可以使用--userns=keep-id命令

    [jerry@RedHat 123]$ podman run -it --rm --userns=keep-id -v /home/jerry/123/:/data busybox 
    ~ $ cd data/
    /data $ ls -l
    total 0
    -rw-r--r--    1 jerry    jerry            0 Mar 10 22:17 abc
    /data $ 

     转自:https://www.cnblogs.com/lichouluoyu/p/14513622.html

  • 相关阅读:
    AD7606笔记
    转Keil 中使用 STM32F4xx 硬件浮点单元
    旋转编码器
    PT100/PT1000
    电压跟随器
    段式液晶驱动方法
    物联网的架构
    物联网的操作系统
    C8051开发环境
    解决time命令输出信息的重定向问题
  • 原文地址:https://www.cnblogs.com/javalinux/p/15788747.html
Copyright © 2020-2023  润新知