podman
赵嘉悦
什么是podman
什么是波德曼?Podman 是一个无守护进程的容器引擎,用于在 Linux 系统上开发、管理和运行 OCI 容器。容器可以以 root 或无根模式运行。简单地说:别名 docker=podman。
Podman 是一个开源项目,可在大多数 Linux 平台上使用并驻留在GitHub 上。Podman 是一个无守护进程的容器引擎,用于在 Linux 系统上开发、管理和运行 Open Container Initiative (OCI) 容器和容器映像。Podman 提供了一个与 Docker 兼容的命令行前端,它可以简单地为 Docker cli 取别名,别名 docker=podman。Podman 还提供了一个套接字激活的 REST API 服务,以允许远程应用程序启动按需容器。这个 REST API 还支持 Docker API,允许 docker-py 和 docker-compose 的用户与 Podman 作为服务进行交互。
Podman 控制下的容器可以由 root 或非特权用户运行。Podman 使用libpod库管理整个容器生态系统,包括 pod、容器、容器镜像和容器卷。Podman 专注于帮助您维护和修改 OCI 容器映像的所有命令和功能,例如拉取和标记。它允许您在生产环境中创建、运行和维护从这些映像创建的容器。
Podman 服务仅运行在 Linux 平台上,但 Podman 远程 REST API 客户端存在于 Mac 和 Windows 平台上,并且可以通过 ssh 与运行在 Linux 机器或 VM 上的 Podman 服务进行通信。Mac 客户端。
podman安装
[root@localhost ~]# yum -y install podman-docker
podman常用命令
//搜索镜像
[root@localhost ~]# podman search busybox
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/busybox Busybox base image. 2415 [OK]
docker.io docker.io/radial/busyboxplus Full-chain, Internet enabled, busybox made f... 43 [OK]
docker.io docker.io/yauritux/busybox-curl Busybox with CURL 16
//创建一个容器
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@localhost ~]# podman run -it docker.io/library/busybox /bin/sh
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 3cb635b06aa2 done
Copying config ffe9d497c3 done
Writing manifest to image destination
Storing signatures
/ #
//检查正在运行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
00ae0c934b96 docker.io/library/busybox:latest /bin/sh 6 seconds ago Up 5 seconds ago goofy_moser
使用Dockerfile构建nginx镜像
[root@localhost ~]# mkdir nginx
//结构
[root@localhost nginx]# tree
.
├── Dockerfile
└── files
└── nginx-1.20.1.tar.gz
//编写Dockerfile
[root@localhost nginx]# cat Dockerfile
FROM docker.io/library/centos
ENV PATH /usr/local/nginx/sbin:$PATH
ADD files/nginx-1.20.1.tar.gz /usr/src
RUN useradd -r -M -s /sbin/nologin nginx && \
yum -y install pcre-devel openssl openssl-devel gd-devel gcc gcc-c++ make && \
mkdir -p /var/log/nginx && \
cd /usr/src/nginx-1.20.1 && \
./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-debug \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_image_filter_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log && \
make && make install
CMD ["nginx","-g","daemon off"]
//构建镜像
[root@localhost ~]# podman build -t nginx:latest nginx
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/nginx latest c69af231e7f6 22 seconds ago 565 MB
docker.io/library/busybox latest ffe9d497c324 5 days ago 1.46 MB
docker.io/library/centos latest 5d0da3dc9764 2 months ago 239 MB
quay.io/centos/centos latest 300e315adb2f 12 months ago 217 MB
//修改名字
[root@localhost ~]# podman tag localhost/nginx:latest docker.io/my922/nginx:latest
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/nginx latest c69af231e7f6 2 minutes ago 565 MB
docker.io/my922/nginx latest c69af231e7f6 2 minutes ago 565 MB
//上传镜像
[root@localhost ~]# podman login docker.io #登录,得告诉它登录什么
Username: my922
Password:
Login Succeeded!
[root@localhost ~]# podman push docker.io/my922/nginx:latest #上传到自己仓库,镜像得前面得加上docker.io
Getting image source signatures
Copying blob 92fc494486b9 [-------------] 9.0MiB / 305.3MiB
Copying blob 699324c97319 done
Copying blob 74ddd0ec08fa skipped: already exists
//查看镜像的信息
[root@localhost ~]# podman inspect docker.io/my922/nginx:latest
[
{
"Id": "c69af231e7f6eaf3a707ff70546725a0a8dd9d657ac7e872823c9155b69936ef",
"Digest": "sha256:b9896db69e6d23365a73113467ca6750592c5262af799f2c72bd496d4c51cc6b",
"RepoTags": [
"localhost/nginx:latest",
"docker.io/my922/nginx:latest"
//创建一个容器,查看它的日志
[root@localhost ~]# podman run -d --name httpd docker.io/library/httpd
Trying to pull docker.io/library/httpd:latest...
[root@localhost ~]# podman inspect httpd #查看详细信息,找出它的IP
[root@localhost ~]# curl 10.88.0.7 #访问一下
<html><body><h1>It works!</h1></body></html>
[root@localhost ~]# podman logs --latest #查看日志,默认查看最新容器日志
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.7. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.7. Set the 'ServerName' directive globally to suppress this message
[Mon Dec 13 11:06:37.399816 2021] [mpm_event:notice] [pid 1:tid 140009363627328] AH00489: Apache/2.4.51 (Unix) configured -- resuming normal operations
[Mon Dec 13 11:06:37.399965 2021] [core:notice] [pid 1:tid 140009363627328] AH00094: Command line: 'httpd -D FOREGROUND'
10.88.0.1 - - [13/Dec/2021:11:08:32 +0000] "GET / HTTP/1.1" 200 45
//查看指定容器里面运行了什么程序,除了root,其他都是子进程
[root@localhost ~]# podman top httpd
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 7m2.308718345s ? 0s httpd -DFOREGROUND
www-data 7 1 0.000 7m1.310386806s ? 0s httpd -DFOREGROUND
www-data 8 1 0.000 7m1.310484865s ? 0s httpd -DFOREGROUND
www-data 9 1 0.000 7m1.310633184s ? 0s httpd -DFOREGROUND
停止容器
[root@localhost ~]# podman run -d --name web docker.io/library/nginx #这里先运行一个容器
//使用--latest默认停掉最近一个容器
[root@localhost ~]# podman stop --latest
832e27219ddd290d2d757f4c2a4dfd1085c459dc63d7695a427ab9be4445d3a6
移除容器
//默认删除一个最近的容器
[root@localhost ~]# podman rm --latest
使用普通用户
[root@localhost ~]# vim /etc/containers/storage.conf
...........................
# Default Storage Driver, Must be set for proper operation.
driver = "overlay" #修改为overlay
[storage.options]
# Storage options to be passed to underlying storage drivers
mount_program = "/usr/bin/fuse-overlayfs" #添加此行
...........................
启动用户命名空间
//查看系统,如果是7的话需要做以下操作
[root@localhost ~]# cat /etc/redhat-release
CentOS Stream release 8
[root@localhost ~]# sysctl user.max_user_namepaces=15000
/etc/subuid和/etc/subgid配置
[root@localhost ~]# useradd my
[root@localhost ~]# cat /etc/subuid
my:100000:65536
[root@localhost ~]# cat /etc/subgid
my:100000:65536
记录了用户登录信息
[root@localhost ~]# podman login docker.io
Username: my922
Password:
Login Succeeded!
[root@localhost ~]# find / -name auth.json
find: ‘/proc/63777’: 没有那个文件或目录
/run/user/0/containers/auth.json
[root@localhost ~]# cat /run/user/0/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "bXk5MjI6dG9wMTU3MjcyNjIxNDI="
}
}
普通用户使用容器
//安装crun
[root@localhost containers]# yum -y install crun
//修改配置文件
[root@localhost ~]# cd /usr/share/containers/
[root@localhost containers]# ls
containers.conf mounts.conf seccomp.json selinux
[root@localhost containers]# vi containers.conf
...........................
runtime = "crun" #取消注释
#runtime = "runc" #注释
...........................
//创建卷
[root@localhost ~]# su - tom
上一次登录:二 12月 14 02:47:17 CST 2021pts/0 上
[tom@localhost ~]$ mkdir data
[root@localhost containers]# su - tom
上一次登录:二 12月 14 02:43:27 CST 2021pts/0 上
[tom@localhost ~]$ podman run -it -v "$(pwd)"/data:/data docker.io/library/busybox /bin/sh
/ # cd data/
/data # ls
/data # touch xaw
/data # ls -l
total 0
-rw-r--r-- 1 root root 0 Dec 13 18:52 xaw #属于root
//在外面查看
[tom@localhost ~]$ ll data/
总用量 0
-rw-r--r--. 1 tom tom 0 12月 14 02:52 xaw #属于tom
意思是,创建的文件在容器里面是root账户,但在真机里面却是普通账户
[tom@localhost ~]$ id
uid=1001(tom) gid=1001(tom) 组=1001(tom)
[tom@localhost ~]$ podman run -it --userns=keep-id -v "$(pwd)"/data:/data docker.io/library/busybox /bin/sh
~ $ id
uid=1001(tom) gid=1001(tom)
/data $ mkdir awm
/data $ ls -l
total 0
drwxr-xr-x 2 1001 1001 6 Dec 13 18:59 awm
-rw-r--r-- 1 1001 1001 0 Dec 13 18:52 xaw
[tom@localhost data]$ ll
总用量 0
drwxr-xr-x. 2 tom tom 6 12月 14 02:59 awm
-rw-r--r--. 1 tom tom 0 12月 14 02:52 xaw
类似资料: