红帽RHCE考试上午-RHCSA(RH200)
servera.example.com 任务
16. 创建容器,为容器配置永久存储并启动服务
要求
利用注册表服务器上的nginx 镜像地址为registry.lab.example.com/library/nginx,创建名为 sunserver 的容器
• 将其配置为以 systemd 服务的形式运行,且仅面向现有用户 contsvc
• 该服务应命名为 container-sunserver.service,此服务在系统重启后将自动启动
将创建的容器服务配置为使用永久存储,要求如下:
• 在容器主机的 /home/contsvc下创建一个名为container_journal 的目录
• 容器服务应将主机目录 /home/contsvc/container_journal 挂载到容器上的 /var/log/journal 下面
• 启动容器服务时,应自动挂载永久存储
• 在容器上执行命令 : echo RHCSA > /var/log/journal/rhcsa.log,
• 容器上的 /var/log/journal/rhcsa.log 和容器主机上的/home/contsvc/container_journal/rhcsa.log均应显示:RHCSA
注意:#注册表服务器地址:registry.lab.example.com。账号: admin/redhat321
题目内容解析:
• 在servera上部署容器服务,centos8的容器服务是podman
• 在servera上创建一个sunserver容器,使用镜像是Nginx镜像,同时该容器是普通用户contsvc用户创建的
• 创建的sunserver容器需要设置为系统服务,通过系统命令进行启停操作,并设置为开机自启
• 创建的sunserver容器需要挂载存储目录/home/contsvc/container_journal映射到容器的/var/log/journal目录
• 在容器内执行echo RHCSA > /var/log/journal/rhcsa.log命令
实验准备;
考试的时候镜像仓库和podman容器服务都是搭建好的,但是自己实验需要自己完善的
安装podman容器服务
[root@servera ~]# yum install -y podman
...........
[root@servera ~]# podman --version
podman version 3.3.1
配置镜像加速器
[root@servera ~]# vim /etc/containers/registries.conf
#add
unqualified-search-registries = ["docker.io"]
[[registry]]
prefix = "docker.io"
location = "8hqtcyi2.mirror.aliyuncs.com"
[[registry.mirror]]
prefix = "docker.io"
location = "hub-mirror.c.163.com"
普通用户默认是没有使用podman的权限的,所以需要做一些配置调整,让其可以使用podman
[root@servera ~]# yum install -y crun
普通用户虚拟文件服务
[root@servera ~]# rpm -qa | fuse-overlayfs
普通用户虚拟网络服务
[root@servera ~]# rpm -qa | grep slirp4netns
开启虚拟文件服务调用
[root@servera ~]# vim /etc/containers/storage.conf
#取消注释
mount_program = "/usr/bin/fuse-overlayfs"
配置那些普通用户使用podman的功能,/etc/subuid和/etc/subgid配置
[root@servera ~]# yum install -y shadow-utils
[root@servera ~]# useradd contsvc
[root@servera ~]# id contsvc
uid=1236(contsvc) gid=1236(contsvc) groups=1236(contsvc)
[root@servera ~]# cat /etc/subuid
contsvc:296608:65536
[root@servera ~]# cat /etc/subgid
contsvc:296608:65536
配置普通用户可以使用系统环境配置
[root@servera ~]# vim /etc/sysctl.conf
[root@severa ~]# sysctl -p
net.ipv4.ping_group_range = 0 200000
设置contsvc用户的密码
[root@servera ~]# echo redhat | passwd --stdin contsvc
Changing password for user contsvc.
passwd: all authentication tokens updated successfully.
验证普通用户是否可以使用podman服务
[root@servera ~]# ssh contsvc@servera
The authenticity of host 'servera (172.25.250.7)' can't be established.
ECDSA key fingerprint is SHA256:1507YKxFMsfKUk7KYZfRo0Dm+yaTW7qOrXWghM3GgBw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Waring: Permanently added 'servera,172.25.250.7' (ECDSA) to the list of known hosts.
contsvc@servera's password:
Hello RHCSA!
[contsvc@servera user]$ podman version
Client: Podman Engine
Version: 4.2.0
API Version: 4.2.0
Go Version: go1.18.4
Built: Tue Aug 30 22:20:51 2022
OS/Arch: linux/amd64
注:到这里基础的环境就准备好了,后面就可以开始进行实验了
实操演示过程:
登入到contsvc用户下,一定要ssh登入的,su -的方式不行
• 创建映射挂载的目录
[contsvc@servera ~]$ mkdir -pv /home/contsvc/container_journal
mkdir: created directory '/home/contsvc/container_journal'
• 登入到注册镜像中心
[contsvc@servera ~]$ podman login
Username:
Password:
Login Succeeded!
• 下载Nginx镜像到本地
[contsvc@servera ~]$ podman search nginx
考试的时候直接下载镜像可能下载不了,需要告诉podman从那里去下载
[contsvc@servera ~]$ podman pull docker.io/library/nginx:latest
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 7247f6e5c182 skipped: already exists
Copying blob 7a6db449b51b skipped: already exists
Copying blob ca1981974b58 skipped: already exists
Copying blob d4019c921e20 skipped: already exists
Copying blob 7cb804d746d4 skipped: already exists
Copying blob e7a561826262 skipped: already exists
Copying config 2b7d6430f7 done
Writing manifest to image destination
Storing signatures
2b7d6430f78d432f89109b29d88d4c36c868cdbf15dc31d2132ceaa02b993763
• 创建运行的容器并挂载存储
[contsvc@servera ~]$ podman run -it -d --name sunserver -v /home/contsvc/container_journal:/var/log/journal:Z nginx
68f3da1e783508d2d0b1d66468eec62bcef082413a91f3867dc4bebe2d500fc3
[cotsvc@servera ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
68f3da1e7835 docker.io/library/nginx:latest nginx -g daemon o... 5 seconds ago Up 5 seconds ago sunserver
考试的时候直接下载镜像可能下载不了,需要告诉podman从那里去下载,需要使用如下的创建容器的命令
[contsvc@servera ~]$ podman run -it -d --name sunserver -v /home/contsvc/container_journal:/var/log/journal:Z registry.lab.example.com/library/nginx
podman run --name <题目中要求的容器名>
-it ## 给他一个终端
-d ## 允许后台运行
-v /home/contsvc/container_journal:/var/log/journal:Z ## 挂载本地存储映射关系,再给一个大Z权限
registry.lab.example.com/library/nginx ## 上面podman search找到的镜像完整路径
• 进入到sunserver容器内执行命令
[contsvc@servera ~]$ podman exec -it sunserver /bin/bash
root@68f3da1e7835:~# echo RHCSA > /var/log/journal/rhcsa.log
• 宿主机上验证rhcsa.log 文件
[contsvc@servera ~]$ cd container_journal/
[contsvc@servera container_journal]$ cat rhcsa.log
RHCSA
设置sunserver容器为系统服务,并设置为开机自启
• 创建当前用户的systemd目录
[contsvc@servera ~]$ mkdir -pv ~/.config/systemd/user
mkdir: created directory '/home/contsvc/.config/systemd'
mkdir: created directory '/home/contsvc/.config/systemd/user'
• 切换到本地用户的systemd服务下
[contsvc@servera ~]$ cd ~/.config/systemd/user/
• 创建容器的systemd服务
[contsvc@servera user]$ podman generate systemd --name sunserver --files
/home/contsvc/.config/systemd/user/container-sunserver.service
[contsvc@servera user]$ ls
container-sunserver.service
• 加载新服务文件
[contsvc@servera user]$ systemctl --user daemon-reload
• 开启普通用户使用systemd自我管理权限
[contsvc@servera user]$ loginctl enable-linger
• 设置sunserver容器为开机自启
[contsvc@servera user]$ systemctl --user enable container-sunserver.service
Created symlink /home/contsvc/.config/systemd/user/default.target.wants/container-sunserver.service → /home/contsvc/.config/systemd/user/container-sunserver.service.
• 验证sunserver容器是否是systemd服务
[contsvc@servera user]$ podman stop sunserver
sunserver
[contsvc@servera user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
• 通过systemd系统方式启动sunserver服务
[contsvc@servera user]$ systemctl --user start container-sunserver.service
查看sunserver服务的状态
[contsvc@servera user]$ systemctl --user status container-sunserver.service
● container-sunserver.service - Podman container-sunserver.service
Loaded: loaded (/home/contsvc/.config/systemd/user/container-sunserver.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2022-09-03 20:55:47 CST; 7s ago
Docs: man:podman-generate-systemd(1)
Process: 2506 ExecStart=/usr/bin/podman start sunserver (code=exited, status=0/SUCCESS)
Main PID: 2519 (conmon)
CGroup: /user.slice/user-1000.slice/user@1000.service/container-sunserver.service
├─2516 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp --enable-ipv6 -c -e 3 -r 4 --net>
├─2519 /usr/bin/conmon --api-version 1 -c 68f3da1e783508d2d0b1d66468eec62bcef082413a91f3867dc4bebe2d500fc3 -u 68f3da1e783508d2d0b1>
└─68f3da1e783508d2d0b1d66468eec62bcef082413a91f3867dc4bebe2d500fc3
├─2528 nginx: master process nginx -g daemon off;
└─2556 nginx: worker process
• 查看sunserver容器的状态
[contsvc@servera user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
68f3da1e7835 docker.io/library/nginx:latest nginx -g daemon o... 13 minutes ago Up 13 seconds ago sunserver