文章目录
root用户下管理操作
ifconfig
cni-podman是podman默认的网桥
[root@localhost ~]# ifconfig
cni-podman0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether ca:61:ef:f6:fb:e0 txqueuelen 1000 (Ethernet)
RX packets 36 bytes 2338 (2.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 2166 (2.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
//veth@if2 创建的容器网卡,在本机中显示,可以连接容器与宿主机相互通信
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fa2e3666428b docker.io/library/httpd:latest httpd-foreground 3 days ago Up 3 days ago 0.0.0.0:80->80/tcp web
[root@localhost ~]# ifconfig
veth611d6cf2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::7499:83ff:fe23:149d prefixlen 64 scopeid 0x20<link>
ether 76:99:83:23:14:9d txqueuelen 0 (Ethernet)
RX packets 23 bytes 1884 (1.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38 bytes 2878 (2.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
网卡随着删除而消失
[root@localhost ~]# podman rm -f web
fa2e3666428b9195e6c987cbd645bff7b2fee241f214e997e9769fe2943d6a40
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# ifconfig -a | grep veth611d6cf2
过滤查询网卡信息
podman inspect grep -i(忽略大小写) ipaddress
//podman命令比docker更人性化,
-l 参数
查看容器最新的详细信息
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0b0b8035c049 docker.io/library/httpd:latest httpd-foreground 8 seconds ago Up 8 seconds ago hh
[root@localhost ~]# podman inspect hh | grep -i address
"IPAddress": "10.88.0.4",
"GlobalIPv6Address": "",
"MacAddress": "d2:9c:cd:dd:77:1c",
"LinkLocalIPv6Address": "",
"IPAddress": "10.88.0.4",
"GlobalIPv6Address": "",
"MacAddress": "d2:9c:cd:dd:77:1c",
rm -rf -l
还可以在删除容器的时候,删除最新创建的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0b0b8035c049 docker.io/library/httpd:latest httpd-foreground 2 minutes ago Up 2 minutes ago hh
dd90a078c21d docker.io/library/httpd:latest httpd-foreground 8 seconds ago Up 8 seconds ago qq
[root@localhost ~]# podman rm -f -l
dd90a078c21df5cd067a8894572848b30eb05d6e8844e2ed552a68d35c3018d8
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0b0b8035c049 docker.io/library/httpd:latest httpd-foreground 3 minutes ago Up 3 minutes ago hh
top
在创建容器时需要指定在前台运行,不然容器一直运行在后台,重新启动也无法启动
[hh@localhost data]$ podman run -d -p 1024:80 busybox
1ff2de130c50accb937bc947a1a56447bf6392c2f63f5e608b5d07895f5b6719
[hh@localhost data]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1ff2de130c50 docker.io/library/busybox:latest sh 5 seconds ago Exited (0) 6 seconds ago 0.0.0.0:1024->80/tcp jovial_ishizaka
[hh@localhost data]$ podman start 1ff2de130c50
1ff2de130c50
[hh@localhost data]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1ff2de130c50 docker.io/library/busybox:latest sh 32 seconds ago Exited (0) 10 seconds ago 0.0.0.0:1024->80/tcp jovial_ishizaka
[root@localhost ~]# podman top hh
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 4m45.772861061s pts/0 0s httpd -DFOREGROUND
www-data 7 1 0.000 4m44.773169364s pts/0 0s httpd -DFOREGROUND
www-data 8 1 0.000 4m44.773224678s pts/0 0s httpd -DFOREGROUND
www-data 9 1 0.000 4m44.773331448s pts/0 0s httpd -DFOREGROUND
实现docker与podman别名
alias docker=‘podman’
普通用户使用的配置
在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置
cgroup V2 Linux 内核功能允许用户限制无根容器可以使用的资源量。如果您运行 Podman 的 Linux 发行版已启用 cgroup V2,则可能需要更改默认的 OCI 运行时。某些较旧版本的 无法与 cgroup V2 配合使用,您可能需要切换到备用 OCI 运行时 。runc crun
[root@podman ~]# yum -y install crun //注意这里centos8自带的有
查找default
打开crun配置
[root@podman ~]# vim /usr/share/containers/containers.conf
略。。。。。。
# Default OCI runtime
#
runtime = "crun" //取消注释改为crun
#runtime = "runc"
创建一个容器看是否成为crun运行模式
[root@localhost ~]# podman run -dit --name oo -p 80:80 docker.io/servicestt/l1:v0.2
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
542400e3fa18 docker.io/servicestt/l1:v0.2 httpd-foreground About a minute ago Up 2 seconds ago 0.0.0.0:80->80/tcp oo
[root@localhost ~]# podman inspect oo | grep crun
"OCIRuntime": "crun",
"crun",
安装slirp4netns和fuse-overlayfs
slirp4netns软件包为非特权网络命名空间提供用户模式网络,并且必须安装在机器上才能使 Podman 在无根环境中运行
[root@podman ~]# yum -y install slirp4netns //这个包在安装podman默认是自动安装,没有安装的话就需要安装
Last metadata expiration check: 0:48:50 ago on Mon 15 Aug 2022 02:10:34 PM CST.
Package slirp4netns-1.1.8-1.module_el8.5.0+890+6b136101.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
在普通用户环境中使用Podman容器时,则需要安装虚拟文件建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6。现在新版本默认就是了。
[root@localhost ~]# yum -y install fuse-overlayfs
Last metadata expiration check: 0:51:41 ago on Mon 15 Aug 2022 02:10:34 PM CST.
Package fuse-overlayfs-1.7.1-1.module_el8.5.0+890+6b136101.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@localhost containers]# ls
certs.d policy.json registries.conf.d storage.conf(代表存储)
oci registries.conf registries.d
[root@podman ~]# vim /etc/containers/storage.conf
略。。。。。。
# Inodes is used to set a maximum inodes of the container image.
# inodes = ""
# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
mount_program = "/usr/bin/fuse-overlayfs" //取消此行注释
//系统可以识别到文件系统了
[root@localhost containers]# which fuse-overlayfs
/usr/bin/fuse-overlayfs
11./etc/subuid和/etc/subgid配置
Podman要求运行它的用户在/etc/subuid和/etc/subgid文件中列出一系列UID,shadow-utils提供这些文件
普通用户想要玩podman,需要写入 /etc/subuid和/etc/subgid
首先下载
[root@localhost containers]# yum -y install shadow-utils
Last metadata expiration check: 1:27:27 ago on Mon 15 Aug 2022 02:10:34 PM CST.
Package shadow-utils-2:4.6-16.el8.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@localhost ~]# useradd hh 创建一个用户
[root@localhost ~]# id hh
uid=1000(hh) gid=1000(hh) groups=1000(hh)
[root@localhost ~]# cat /etc/subuid 在查看/etc/subuid
hh :100000 :65536
用户名 uid起始位置 到结束位置
//要指定普通用户玩podman 他是默认从1万uid开排序的
还需要指定启动用户才可以执行podman
vim /etc/sysctl.conf
[root@localhost ~]# vim /etc/sysctl.conf
net.ipv4.ping_group_range=0 200000 //添加到此处,代表大于等于十万或小于等于十万的uid都可以使用podman
//sysctl -p //刷新配置文件
[root@localhost ~]# sysctl -p
net.ipv4.ping_group_range = 0 200000
该usermod程序可用于为用户分配 UID 和 GID,而不是直接更新文件。
用命令在创建的时候指定命令
[root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 hh
[root@localhost ~]# sysctl -p
net.ipv4.ping_group_range = 0 200000
[root@localhost ~]# cat /etc/subuid
hh:200000:1001
用户配置文件
三个主要的配置文件是container.conf(容器配置文件)、storage.conf(存储)和registries.conf(仓库中心)。用户可以根据需要修改这些文件。
container.conf
// 用户配置文件
[root@localhost ~]# cat /usr/share/containers/containers.conf //明确系统只支持这个
[root@localhost ~]# cat /etc/containers/containers.conf //第二高优先级
[root@localhost ~]# cat ~/.config/containers/containers.conf //代表在里面配置的优先级是最高的
配置storage.conf文件
1./etc/containers/storage.conf //目前只有这个
2.$HOME/.config/containers/storage.conf //普通用户下使用的配置文件
在普通用户中/etc/containers/storage.conf的一些关键字段
[root@localhost ~]# vi /etc/containers/storage.conf
[storage]
#Default Storage Driver, Must be set for proper operation.
driver = "overlay" #将驱动处改为overlay(覆盖)
.......
mount_program = "/usr/bin/fuse-overlayfs" #取消注释
//在配置文件中添加如下参数
[root@localhost containers]# cat /etc/sysctl.conf
sysctl user.max_user_namespaces=15000 // 允许最大使用用户名称空间
//此处是root默认的配置
[root@localhost containers]# vim storage.conf
# Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage"
普通用户默认的文件
graphroot="$HOME/.local/share/containers/storage"
runroot="$XDG_RUNTIME_DIR/containers"
registries.conf
配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改。
1./etc/containers/registries.conf //系统默认的配置文件
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf
//这里由于在镜像加速器里面指定了镜像位置
[root@localhost containers]# ls
certs.d policy.json registries.conf.d storage.conf
oci registries.conf registries.d
[root@localhost containers]# vim registries.conf
unqualified-search-registries = ["docker.io"]
[[registry]]
location = "3bufl9dc.mirror.aliyuncs.com"
[root@localhost containers]# podman login //这里直接进行认证会默认访问docker.io仓库
Authenticating with existing credentials for docker.io
Existing credentials are invalid, please enter valid username and password
Username (servicestt):
Password:
Login Succeeded!
[root@localhost containers]# cat /run/user/0/containers/auth.json //查看当前用户认证的密码加密
{
"auths": {
"docker.io": {
"auth": "c2VydmljZXN0dDpxd2Vhc2R4Y3Y="
}
}
普通用户是无法看见root用户的镜像的
//root用户
[root@localhost containers]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
542400e3fa18 docker.io/servicestt/l1:v0.2 httpd-foreground 2 hours ago Up 2 hours ago 0.0.0.0:80->80/tcp oo
//普通用户
[root@localhost ~]# su - hh
[hh@localhost ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
使用存储卷
容器与root用户一起运行,则root容器中的用户实际上就是主机上的用户。
UID GID是在/etc/subuid和/etc/subgid等中用户映射中指定的第一个UID GID。
如果普通用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则会看到它实际上是你的用户在主机上拥有的。
使用卷
不加的话则容器里面显示会报错
docker与podman是要开启防火墙的
>z:代表容器和宿主机直接进行挂载,其他容器也可以进行共享访问
>Z:代表私有的除了宿主机可以看到,其他容器则不共享看不到
在容器中创建命令
mkdir /home/hh/data
[hh@localhost ~]$ podman run -it -v $(pwd)/data:/data:Z busybox /bin/shsys tmp usr var
[root@localhost hh]# ls
data
[root@localhost hh]# cd data/
[root@localhost data]# ls
[root@localhost data]# touch qq ww ee
/data # mkdir 66
/data #
[root@localhost data]# ls
66 ee qq ww
//我们可以发现在容器里面的文件的属主和属组都属于root,那么如何才能让其属于hh用户呢?下面告诉你答案
//容器中
/data $ ls -l
total 0
-rw-r--r--. 1 root root 0 Aug 15 17:39 ee
//只要在运行容器的时候加上一个--userns=keep-id即可。
[hh@localhost ~]$ podman run -it -v $(pwd)/data:/data:Z --userns=keep-id busybox /bin/sh
~ $ ls
bin data dev etc home proc root run sys tmp usr var
~ $ cd data/
/data $ ls -l //查看之前创建的缓存
total 0
drwxr-xr-x 2 hh hh 6 Aug 15 09:39 66
-rw-r--r-- 1 nobody nobody 0 Aug 15 09:39 ee
-rw-r--r-- 1 nobody nobody 0 Aug 15 09:39 qq
-rw-r--r-- 1 nobody nobody 0 Aug 15 09:39 ww
//
/data $ mkdir ll
/data $ ls -l
total 0
drwxr-xr-x 2 hh hh 6 Aug 15 09:39 66
drwxrwxr-x 2 hh hh 6 Aug 15 09:53 aa
drwxr-xr-x 2 hh hh 6 Aug 15 09:57 ll
使用普通用户映射容器端口时会报“ permission denied”的错误
[hh@localhost data]$ podman run -d -p 80:80 busybox
Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied
普通用户可以映射>= 1024的端口
[hh@localhost data]$ podman run -dit -p 1024:80 busybox
552140e25cc59c99449066e1d9b69c4b9cd90d14fc1a02736c7dbd390df5b186
[hh@localhost data]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
552140e25cc5 docker.io/library/busybox:latest sh 2 seconds ago Up 2 seconds ago 0.0.0.0:1024->80/tcp interesting_noyce
[hh@localhost data]$ ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:1024 *:*
解决问题:
配置echo ‘net.ipv4.ip_unprivileged_port_start=80’ >> /etc/sysctl.conf后可以映射大于等于80的端口
宿主机上添加
[root@localhost ~]# vim /etc/sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.ping_group_range = 0 200000
sysctl: cannot stat /proc/sys/sysctl user/max_user_namespaces: No such file or directory
net.ipv4.ip_unprivileged_port_start = 80
普通用户下
[hh@localhost ~]$ podman run -dit -p 80:80 busybox
3712bd410207e7d2c8dc566c9ce597f7051de6095e42d2076754ef7eb8e20e28
[hh@localhost ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3712bd410207 docker.io/library/busybox:latest sh 6 seconds ago Up 6 seconds ago 0.0.0.0:80->80/tcp thirsty_bartik
[hh@localhost ~]$ ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:80 *:*