Podman是一个无守护进程的开源 Linux 原生工具,旨在使用开放容器倡议 ( OCI )容器和容器映像轻松查找、运行、构建、共享和部署应用程序。Podman 提供了任何使用过 Docker容器引擎的人都熟悉的命令行界面 (CLI) 。大多数用户可以简单地将 Docker 别名为 Podman(别名 docker=podman),没有任何问题。与其他常见的容器引擎(Docker、CRI-O、containerd)类似,Podman 依赖于符合 OCI 的容器运行时(runc、crun、runv 等)与操作系统交互并创建正在运行的容器。这使得 Podman 创建的运行容器与任何其他常见容器引擎创建的容器几乎没有区别。
Podman 控制下的容器可以由 root 或非特权用户运行。Podman 使用libpod库管理整个容器生态系统,包括 pod、容器、容器镜像和容器卷。Podman 专注于帮助您维护和修改 OCI 容器映像的所有命令和功能,例如拉取和标记。它允许您在生产环境中创建、运行和维护这些容器和容器映像。
Podman 服务仅运行在 Linux 平台上,但 Podman 远程 REST API 客户端存在于 Mac 和 Windows 平台上,并且可以通过 ssh 与运行在 Linux 机器或 VM 上的 Podman 服务进行通信。
docker是一个容器引擎,podman也是一个容器引擎
[root@localhost ~]# dnf -y install podman
CentOS Stream 8 - Extras 11 kB/s | 16 kB 00:01
依赖关系解决。
=============================================================================================================================================================================================
软件包 架构 版本 仓库 大小
=============================================================================================================================================================================================
安装:
podman x86_64 1:3.4.1-3.module_el8.6.0+954+963caf36 appstream 12 M
·····省略部分·····
已升级:
libsemanage-2.9-6.el8.x86_64 policycoreutils-2.9-17.el8.x86_64
已安装:
checkpolicy-2.9-1.el8.x86_64 conmon-2:2.0.30-1.module_el8.6.0+944+d413f95e.x86_64
container-selinux-2:2.170.0-1.module_el8.6.0+954+963caf36.noarch containernetworking-plugins-1.0.1-1.module_el8.6.0+944+d413f95e.x86_64
python3-libsemanage-2.9-6.el8.x86_64 python3-policycoreutils-2.9-17.el8.noarch
python3-setools-4.3.0-3.el8.x86_64 runc-1.0.2-1.module_el8.6.0+926+8bef8ae7.x86_64
slirp4netns-1.1.8-1.module_el8.6.0+926+8bef8ae7.x86_64
完毕!
[root@localhost ~]# which podman
/usr/bin/podman
在允许没有root特权的用户运行podman之前,管理员必须需要安装或构件podman并完成以下配置
cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,必须切换到备用OCI运行时crun。
[root@localhost ~]# yum -y install crun
[root@localhost ~]# rpm -qa|grep crun
crun-1.2-1.module_el8.6.0+954+963caf36.x86_64
可以使用–runtime选项在命令行中打开对cgroup V2的替代OCI运行时支持或者修改containers.conf文件
podman --runtime crun
修改containers.conf文件
[root@localhost ~]# vim /usr/share/containers/containers.conf
# Default OCI runtime
#
#runtime = "crun"
runtime = "crun"
安装slirp4netns
slirp4nets包为普通用户提供一种网络模式,在普通用户环境中使用Podman时,建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6以上的才能使用
[root@localhost ~]# dnf -y install slirp4netns fuse-overlayfs ##安装slirp4netns
[root@localhost ~]# rpm -qa|grep slirp4netns
slirp4netns-1.1.8-1.module_el8.6.0+926+8bef8ae7.x86_64
[root@localhost ~]# rpm -qa|grep fuse-overlayfs
fuse-overlayfs-1.7.1-1.module_el8.6.0+926+8bef8ae7.x86_64
配置storage.conf文件
[root@localhost ~]# vim /etc/containers/storage.conf
····省略部分···
# Default Storage Driver, Must be set for proper operation.
driver = "overlay"
····省略部分···
# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
mount_program = "/usr/bin/fuse-overlayfs" #取消注释
····省略部分···
三个主要的配置文件是container.conf,storage.conf和registries.conf。用户可以根据需要修改这些文件。
Podman读取时,按照循序来了,当前面一位找不到时,就去找下一个
1./usr/share/containers/containers.conf
2./etc/containers/containers.conf
3.$HOME/.config/containers/containers.conf
对于storge.conf则是
1./etc/containers/storage.conf
2.$HOME/.config/containers/storage.conf
在普通用户中/etc/containers/storage.conf的一些字段将被忽略
graphroot=``""`` ``container storage graph ``dir` `(default: ``"/var/lib/containers/storage"``)`` ``Default directory to store all writable content created by container storage programs.` `runroot=``""`` ``container storage run ``dir` `(default: ``"/run/containers/storage"``)`` ``Default directory to store all temporary writable content created by container storage programs.
在普通用户中这些字段默认
graphroot=``"$HOME/.local/share/containers/storage"``runroot=``"$XDG_RUNTIME_DIR/containers"
配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改。
1./etc/containers/registries.conf
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf
podman login 登录,默认授权文件位于中/run/user/0//containers/auth.json
[root@localhost ~]# podman login docker.io
Username: best2001
Password:
Login Succeeded!
[root@localhost ~]# cat /run/user/0/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "YmVzdDIwMDE6bGl1cWlhbmcyMDAxNzI="
}
}
}
文件中指定了系统上允许的用户名称空间的数量/proc/sys/user/max_user_namespaces。在大多数Linux平台上,这是默认设置的,无需调整。然而,在RHEL7机,具有根特权的用户可能需要通过使用该命令,为了设置为合理值:Ⅰsysctl
/etc/subuid和/etc/subgid配置
podman要求运行它的用户在/etc/subuid和/etc/subgid文件中列出一系列UID,shadow-utils或newuid包需要提供这些文件
[root@localhost ~]# rpm -qa| grep shadow-util
shadow-utils-4.6-12.el8.x86_64
对于将被允许创建容器,更新每一个用户/etc/subuid,并/etc/subgid 与看起来像以下字段用户。请注意,每个用户的值必须是唯一的。如果存在重叠,用户就有可能使用另一个用户的命名空间,并且他们可能会破坏它。
[root@localhost ~]# useradd test
[root@localhost ~]# cat /etc/subuid
test:100000:65536
[root@localhost ~]# cat /etc/subgid
test:100000:65536
该文件的格式为USERNAME:UID:RANGE
[root@localhost ~]# podman pull nginx
✔ docker.io/library/nginx:latest
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob e5ae68f74026 skipped: already exists
Copying blob 44be98c0fab6 done
Copying blob ed835de16acd done
Copying blob 881ff011f1c9 done
Copying blob 21e0df283cd6 done
Copying blob 77700c52c969 done
Copying config f652ca386e done
Writing manifest to image destination
Storing signatures
f652ca386ed135a4cbe356333e08ef0816f81b2ac8d0619af01e2b256837ed3e
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 11 days ago 146 MB
# 解释
REPOSITORY 镜像的仓库源
TAG 镜像的标签
IMAGE ID 镜像的id
CREATED 镜像的创建时间
# 可选项
-a, --all # 列出所有的镜像
-q, --quiet # 只显示镜像的id
[root@localhost ~]# podman search nginx
INDEX NAME DESCRIPTION
STARS OFFICIAL AUTOMATED
fedoraproject.org registry.fedoraproject.org/f29/nginx
0
fedoraproject.org registry.fedoraproject.org/f29/origin-nginx-router
0
redhat.com registry.access.redhat.com/ubi8/nginx-118 Platform for running ngin
x 1.18 or building ... 0
redhat.com registry.access.redhat.com/ubi8/nginx-120 Platform for running ngin
x 1.20 or building ... 0
redhat.com registry.access.redhat.com/rhscl/nginx-18-rhel7 Nginx 1.8 server and a re
verse proxy server 0
## 可选项
--filter , -f 根据所提供的条件过滤输出
# 选择starts 大于等于10000的镜像源
[root@localhost ~]# podman search nginx -f=stars=10000
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/nginx Official build of Nginx. 15928 [OK]
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 11 days ago 146 MB
[root@localhost ~]# podman rmi f652ca386ed1
Untagged: docker.io/library/nginx:latest
Deleted: f652ca386ed135a4cbe356333e08ef0816f81b2ac8d0619af01e2b256837ed3e
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 11 days ago 146 MB
[root@localhost ~]# podman run -d --name nginx docker.io/library/nginx
da75a09a0ad6567f563173d0425f39e7aad52e1e559f3d32a67c5d4578146131
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
da75a09a0ad6 docker.io/library/nginx:latest nginx -g daemon o... 3 seconds ago Up 3 seconds ago nginx
# 参数说明
--name = "Name" 容器名字 tomcat01,tomcat02,用来区分容器
-d 后台方式运行
-it 使用交互方式运行,进入容器查看区分
-p 指定容器的端口 -p 8080:8080
-P 随机指定端口
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
da75a09a0ad6 docker.io/library/nginx:latest nginx -g daemon o... 3 seconds ago Up 3 seconds ago nginx
[root@localhost ~]# podman rm nginx
da75a09a0ad6567f563173d0425f39e7aad52e1e559f3d32a67c5d4578146131
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]#
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4a3232d5c200 docker.io/library/nginx:latest nginx -g daemon o... 11 seconds ago Up 11 seconds ago nginx
[root@localhost ~]# podman stop nginx ##停止容器
nginx
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# podman start nginx ##启动容器
nginx
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4a3232d5c200 docker.io/library/nginx:latest nginx -g daemon o... 29 seconds ago Up 2 seconds ago nginx
[root@localhost ~]# podman restart nginx ##重启容器
4a3232d5c200c4fe5333a1ed08dfaeb48df8dea5090cf67756fa130eca1ea8f6
[root@localhost ~]# podman logs 4a3232d5c200
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/12/14 08:46:20 [notice] 1#1: using the "epoll" event method
2021/12/14 08:46:20 [notice] 1#1: nginx/1.21.4
2021/12/14 08:46:20 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
2021/12/14 08:46:20 [notice] 1#1: OS: Linux 4.18.0-257.el8.x86_64
[root@localhost ~]# podman logs --tail 3 4a3232d5c200 ##显示最新三条日志信息
2021/12/14 08:47:27 [notice] 1#1: start worker process 20
2021/12/14 08:47:27 [notice] 1#1: start worker process 21
2021/12/14 08:47:27 [notice] 1#1: start worker process 22
10.88.0.1 - - [14/Dec/2021:08:56:48 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.61.1" "-"
[root@localhost ~]# podman inspect nginx
[
{
"Id": "4a3232d5c200c4fe5333a1ed08dfaeb48df8dea5090cf67756fa130eca1ea8f6",
"Created": "2021-12-14T03:46:19.950375769-05:00",
"Path": "/docker-entrypoint.sh",
"Args": [
"nginx",
"-g",
"daemon off;"
····省略部分·····
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4a3232d5c200 docker.io/library/nginx:latest nginx -g daemon o... 24 minutes ago Up 23 minutes ago nginx
[root@localhost ~]# podman exec -it nginx /bin/sh
# ls
bin dev docker-entrypoint.sh home lib64 mnt proc run srv tmp var
boot docker-entrypoint.d etc lib media opt root sbin sys usr
[root@localhost ~]# podman inspect -l
[
{
"Id": "dadf17c00466a872422a869ea1f4b34ce20da8597963dd5afe56d0cea4a491aa",
"Created": "2021-12-14T03:53:34.088900291-05:00",
"Path": "/bin/bash",
"Args": [
"/bin/bash"
],
"State": {
"OciVersion": "1.0.2-dev",
"Status": "exited",
"Running": false,
"Paused": false,
"Restarting": false,
·····省略部分······
[root@localhost ~]# podman run -d -p 80:80 --name nginx f652ca386ed1
b444383f36708ac37dd818cf1d37f3e7268194cf13c30322a75bb773f0a15d61
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b444383f3670 docker.io/library/nginx:latest nginx -g daemon o... 6 seconds ago Up 6 seconds ago 0.0.0.0:80->80/tcp nginx
[root@localhost bin]# vim /etc/systemd/system/nginx_conteainer.service
[root@localhost bin]# cat /etc/systemd/system/nginx_conteainer.service
[Unit]
Description=Podman Nginx Service
After=network.target
After=network-online.target
[Service]
Type=simple
ExecStart=/usr/bin/podman start -a nginx
ExecStop=/usr/bin/podman stop -t 10 nginx
Restart=always
[Install]
WantedBy=multi-user.target
[root@localhost bin]# systemctl daemon-reload
[root@localhost bin]# systemctl enable --now nginx_conteainer.service
Created symlink /etc/systemd/system/multi-user.target.wants/nginx_conteainer.service → /etc/systemd/system/nginx_conteainer.service.
[root@localhost bin]# systemctl status nginx_conteainer.service
● nginx_conteainer.service - Podman Nginx Service
Loaded: loaded (/etc/systemd/system/nginx_conteainer.service; enabled; vendor >
Active: active (running) since Wed 2021-12-15 02:53:26 EST; 9s ago
Main PID: 38185 (podman)
Tasks: 9 (limit: 4743)
Memory: 41.2M
CGroup: /system.slice/nginx_conteainer.service
└─38185 /usr/bin/podman start -a nginx
12月 15 02:53:26 localhost.localdomain systemd[1]: Started Podman Nginx Service.
[root@localhost ~]# id test
uid=1000(test) gid=1000(test) 组=1000(test)
[root@localhost ~]# su - test
上一次登录:三 12月 15 02:58:37 EST 2021pts/0 上
[test@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 12 days ago 146 MB
[test@localhost ~]$ podman run -d --name nginx f652ca386ed1
4ceeb68d0e986bc604dc5d649d631703a82a8017102f19f80bb04dff4bb0bfd7
[test@localhost ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4ceeb68d0e98 docker.io/library/nginx:latest nginx -g daemon o... 9 seconds ago Up 9 seconds ago nginx
[test@localhost ~]$ mkdir -p .config/systemd/user
[test@localhost ~]$ cd .config/systemd/user/
[test@localhost user]$ podman generate systemd --files --name nginx
/home/test/.config/systemd/user/container-nginx.service
[test@localhost user]$ cat /home/test/.config/systemd/user/container-nginx.service
# container-nginx.service
# autogenerated by Podman 3.4.1-dev
# Wed Dec 15 03:02:57 EST 2021
[Unit]
Description=Podman container-nginx.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=/tmp/podman-run-1000/containers
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman start nginx
ExecStop=/usr/bin/podman stop -t 10 nginx
ExecStopPost=/usr/bin/podman stop -t 10 nginx
PIDFile=/tmp/podman-run-1000/containers/overlay-containers/4ceeb68d0e986bc604dc5d649d631703a82a8017102f19f80bb04dff4bb0bfd7/userdata/conmon.pid
Type=forking
[Install]
WantedBy=multi-user.target default.target
[root@localhost ~]# ssh test@localhost
test@localhost's password:
Last login: Wed Dec 15 03:07:58 2021 from ::1
[test@localhost ~]$ systemctl --user enable --now container-nginx.service
Created symlink /home/test/.config/systemd/user/multi-user.target.wants/container-nginx.service → /home/test/.config/systemd/user/container-nginx.service.
Created symlink /home/test/.config/systemd/user/default.target.wants/container-nginx.service → /home/test/.config/systemd/user/container-nginx.service.
[test@localhost ~]$ systemctl --user status container-nginx.service
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/home/test/.config/systemd/user/container-nginx.service; enabl>
Active: active (running) since Wed 2021-12-15 03:12:33 EST; 33s ago
Docs: man:podman-generate-systemd(1)
Process: 4785 ExecStart=/usr/bin/podman start nginx (code=exited, status=0/SUCC>
Main PID: 4896 (conmon)
CGroup: /user.slice/user-1000.slice/user@1000.service/container-nginx.service
├─4888 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enab>
├─4889 /usr/bin/fuse-overlayfs -o ,lowerdir=/home/test/.local/share/co>
├─4896 /usr/bin/conmon --api-version 1 -c 4ceeb68d0e986bc604dc5d649d63>
├─4899 nginx: master process nginx -g daemon off;
├─4955 nginx: worker process
├─4956 nginx: worker process
├─4957 nginx: worker process
└─4958 nginx: worker process
# 创建cni-podman2网络
[root@localhost ~]# podman network create cni-podman2
/etc/cni/net.d/cni-podman2.conflist
# --subnet指定subnet创建网络
## podman network create --sunet 网段 创建的网络名
[root@localhost ~]# podman network create --subnet 192.6.0.0/16 newnet
/etc/cni/net.d/newnet.conflist
# --gateway 指定网关
## podman network create --subnet 网段 --gateway 网关地址 newnet1
[root@localhost ~]# podman network create --subnet 192.168.33.0/24 --gateway 192.168.33.3 newnet1
/etc/cni/net.d/newnet1.conflist
# --ip-range 指定ip起始地址
[root@localhost ~]# podman network create --subnet 192.168.55.0/24 --ip-range 192.168.55.128/25 newnet2
/etc/cni/net.d/newnet2.conflist
#查看网络
[root@localhost ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
603e960751dc cni-podman2 0.4.0 bridge,portmap,firewall,tuning
884e74728f04 newnet 0.4.0 bridge,portmap,firewall,tuning
45b3499a170b newnet1 0.4.0 bridge,portmap,firewall,tuning
31213d4efd11 newnet2 0.4.0 bridge,portmap,firewall,tuning
# podman run --name 容器名 --network 网络名称 镜像名
[root@localhost ~]# podman run -d --name nginx --network cni-podman2 nginx:latest
c69f0c65dace38250b5b244d7f2650a78cf93446ae3383afd959312db5f6df82
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# podman inspect nginx |grep IP
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"IPAddress": "10.89.0.5",
"IPPrefixLen": 24,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAMConfig": null,
启动一个容器后,会出现cni-poman0网卡,容器启动时,默认会连接podman网络
[root@localhost ~]# ip a show cni-podman0
3: cni-podman0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether de:ad:ca:93:bd:4c brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::dcad:caff:fe93:bd4c/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
603e960751dc cni-podman2 0.4.0 bridge,portmap,firewall,tuning
[root@localhost ~]# podman network disconnect cni-podman2 nginx
[root@localhost ~]# podman network reload nginx2
e922ba3fc8bfade7f9f40d9650d83630bbf43ad5b58cca0dd395e4e58ab122e5
[root@localhost ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
603e960751dc cni-podman2 0.4.0 bridge,portmap,firewall,tuning
884e74728f04 newnet 0.4.0 bridge,portmap,firewall,tuning
45b3499a170b newnet1 0.4.0 bridge,portmap,firewall,tuning
31213d4efd11 newnet2 0.4.0 bridge,portmap,firewall,tuning
[root@localhost ~]# podman network rm newnet2
newnet2
[root@localhost ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
603e960751dc cni-podman2 0.4.0 bridge,portmap,firewall,tuning
884e74728f04 newnet 0.4.0 bridge,portmap,firewall,tuning
45b3499a170b newnet1 0.4.0 bridge,portmap,firewall,tuning