podman安装和普通用户使用podman的方式及podman常用命令
敖硕
什么是podman?
Podman 是一个无守护进程的容器引擎,用于在 Linux 系统上开发、管理和运行 OCI 容器。容器可以以 root 或无根模式运行。简单来说:docker=podman。
Podman 是一个开源项目,可在大多数 Linux 平台上使用并驻留在GitHub 上。Podman 是一个无守护进程的容器引擎,用于在 Linux 系统上开发、管理和运行 Open Container Initiative (OCI) 容器和容器映像。Podman 提供了一个与 Docker 兼容的命令行前端,它可以简单地为 Docker cli 取别名,别名 docker=podman。Podman 还提供了一个套接字激活的 REST API 服务,以允许远程应用程序启动按需容器。这个 REST API 还支持 Docker API,允许 docker-py 和 docker-compose 的用户与 Podman 作为服务进行交互。
Podman 控制下的容器可以由 root 或非特权用户运行。Podman 使用libpod库管理整个容器生态系统,包括 pod、容器、容器镜像和容器卷。Podman 专注于帮助您维护和修改 OCI 容器映像的所有命令和功能,例如拉取和标记。它允许您在生产环境中创建、运行和维护从这些映像创建的容器。
Podman 服务仅运行在 Linux 平台上,但 Podman 远程 REST API 客户端存在于 Mac 和 Windows 平台上,并且可以通过 ssh 与运行在 Linux 机器或 VM 上的 Podman 服务进行通信。Mac 客户端。
podman安装
Podman 在 CentOS 7 的默认 Extras 存储库和 CentOS 8 和 Stream 的 AppStream 存储库中可用。
如果是其他系统请查看安装说明
[root@localhost ~]# yum -y install podman
[root@localhost ~]# yum -y install podman-docker
[root@localhost ~]# rpm -qa | grep podman
podman-docker-3.3.1-9.module_el8.5.0+988+b1f0b741.noarch
podman-catatonit-3.3.1-9.module_el8.5.0+988+b1f0b741.x86_64
podman-3.3.1-9.module_el8.5.0+988+b1f0b741.x86_64
podman常用命令
//搜索镜像
[root@localhost ~]# podman search busybox
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/busybox Busybox base image. 2415 [OK]
docker.io docker.io/radial/busyboxplus Full-chain, Internet enabled, busybox made f... 43 [OK]
docker.io docker.io/yauritux/busybox-curl Busybox with CURL 16
docker.io docker.io/odise/busybox-curl 4 [OK]
docker.io docker.io/arm64v8/busybox Busybox base image. 3
docker.io docker.io/vukomir/busybox busybox and curl 1
....略
//拉取镜像
[root@localhost ~]# podman pull docker.io/library/busybox
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 3cb635b06aa2 done
Copying config ffe9d497c3 done
Writing manifest to image destination
Storing signatures
ffe9d497c32414b1c5cdad8178a85602ee72453082da2463f1dede592ac7d5af
//查看镜像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest ffe9d497c324 6 days ago 1.46 MB
//运行一个容器
[root@localhost ~]# podman run -it docker.io/library/busybox /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 76:d0:cf:96:77:95 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.2/16 brd 10.88.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::74d0:cfff:fe96:7795/64 scope link
valid_lft forever preferred_lft forever
/ #
//查看容器
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4f14f31ad144 docker.io/library/busybox:latest /bin/sh 16 seconds ago Up 16 seconds ago recursing_blackburn
//查看容器详细信息
[root@localhost ~]# podman inspect 4f14f31ad144 //容器id或容器名
。。。。。略
[
{
"Id": "4f14f31ad1449baba48e45d7bf9e25f7ae5655c2f18e9f3fc1fa8e892a3178d8",
"Created": "2021-12-14T11:12:15.380423837+08:00",
"Path": "/bin/sh",
"Args": [
"/bin/sh"
],
"State": {
"OciVersion": "1.0.2-dev",
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 69617,
"ConmonPid": 69606,
"ExitCode": 0,
.....略
//停止容器
[root@localhost ~]# podman stop 4f14f31ad144
4f14f31ad144
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4f14f31ad144 docker.io/library/busybox:latest /bin/sh 7 minutes ago Exited (137) 7 seconds ago recursing_blackburn
//启动容器
[root@localhost ~]# podman start 4f14f31ad144
4f14f31ad144
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4f14f31ad144 docker.io/library/busybox:latest /bin/sh 7 minutes ago Up 2 seconds ago recursing_blackburn
//删除容器
[root@localhost ~]# podman rm -f 4f14f31ad144
4f14f31ad1449baba48e45d7bf9e25f7ae5655c2f18e9f3fc1fa8e892a3178d8
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
//podman和docker命令几乎是一模一样,直接用docker也能用,所以说podman=docker
[root@localhost ~]# docker ps -a
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
37f988802d6a docker.io/library/busybox:latest /bin/sh 19 seconds ago Up 19 seconds ago wonderful_rosalind
使用普通用户运行
[root@localhost ~]# vim /etc/containers/storage.conf
7 # Default Storage Driver, Must be set for proper operation.
8 driver = "overlay" #确保为overlay
9 mount_program = "/usr/bin/fuse-overlayfs" #添加此行
启动用户命名空间
//查看系统,如果是7的话需要做以下操作
[root@localhost ~]# cat /etc/redhat-release
CentOS Stream release 8
[root@localhost ~]# sysctl user.max_user_namepaces=15000
配置/etc/subuid和/etc/subgid
[root@localhost ~]# useradd tom
[root@localhost ~]# id tom
uid=1000(tom) gid=1000(tom) 组=1000(tom)
[root@localhost ~]# cat /etc/subuid
tom:100000:65536
[root@localhost ~]# cat /etc/subgid
tom:100000:65536
[root@localhost ~]# podman login docker.io //登录docker账户
WARN[0000] Failed to decode the keys ["storage.mount_program"] from "/etc/containers/storage.conf".
Username: luohengjie
Password:
Login Succeeded!
[root@localhost ~]# cat /run/user/0/containers/auth.json //记录了登录信息
{
"auths": {
"docker.io": {
"auth": "bHVvaGVuZ2ppZTpsaGoxMjM0NTY="
}
}
}
[root@localhost ~]#
普通用户使用容器
//安装crun
[root@localhost containers]# yum -y install crun
//修改配置文件
[root@localhost ~]# cd /usr/share/containers/
[root@localhost containers]# ls
containers.conf mounts.conf seccomp.json selinux
[root@localhost containers]# vi containers.conf
...........略
433 runtime = "crun" //取消注释
434 #runtime = "runc" //加上注释
..........略
[root@localhost ~]# su tom
[tom@localhost root]$ cd
[tom@localhost ~]$ ls
data
[root@localhost ~]# chown -hR tom $XDG_RUNTIME_DIR //$XDG_RUNTIME_DIR定义应存储相对于用户的非必要运行时文件和其他文件对象(如套接字、命名管道等)的基目录。该目录必须归用户所有,并且该目录必须是唯一具有读写访问权限的用户。其 Unix 访问模式必须为 0700。
[tom@localhost root]$ podman run -it -v "$(pwd)"/data:/data docker.io/library/busybox /bin/sh
cannot chdir to /root: Permission denied
Error: chown /home/tom/.local/share/containers/storage/overlay/l: operation not permitted
[tom@localhost root]$ cd
[tom@localhost ~]$ podman run -it -v "$(pwd)"/data:/data docker.io/library/busybox /bin/sh
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 3cb635b06aa2 done
Copying config ffe9d497c3 done
Writing manifest to image destination
Storing signatures
/ #
/ #
/ # ls
bin data dev etc home proc root run sys tmp usr var
/ # ls -l data/
ls: can't open 'data/': Permission denied
total 0
[tom@localhost ~]$ docker ps -a
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
258745fe3186 docker.io/library/busybox:latest /bin/sh 2 minutes ago Up 2 minutes ago epic_curie
[tom@localhost ~]$ ls
data
[tom@localhost ~]$ cd data/
[tom@localhost data]$ ls
[tom@localhost data]$ ll
总用量 0
在容器里面是root账户,真机里面是普通用户
类似资料: