podman(三)
1.如何使用 Podman 对容器映像进行签名和分发
对容器映像进行签名源于仅信任专用映像提供程序的动机,以缓解中间人 (MITM) 攻击或对容器注册表的攻击。对图像进行签名的一种方法是使用 GNU 隐私卫士 (GPG) 密钥。此技术通常与任何符合 OCI 的容器注册表(如 Quay.io)兼容。值得一提的是,OpenShift 集成容器注册表开箱即用地支持这种签名机制,这使得单独的签名存储变得不必要。
// 在本地机器上启动一个容器注册表
[root@localhost ~]# sudo podman run -d -p 5000:5000 docker.io/registry
Trying to pull docker.io/library/registry:latest...
Getting image source signatures
Copying blob 213ec9aee27d done
Copying blob 5299e6f78605 done
Copying blob 4c2fb79b7ce6 done
Copying blob 44c4c74a95e4 done
Copying blob 74a97d2d84d9 done
Copying config 3a0f7b0a13 done
Writing manifest to image destination
Storing signatures
a995662c3661cbd71193ebcebbbb5fa25e21b14e69737b11a45b43091e409967
//修改标签
[root@localhost ~]# podman tag docker.io/library/busybox:latest localhost:5000/busybox:b1
//推送镜像
[root@localhost ~]# podman push --tls-verify=false localhost:5000/busybox:b1
Getting image source signatures
Copying blob 084326605ab6 done
Copying config 7a80323521 done
Writing manifest to image destination
Storing signatures
[root@localhost ~]# curl http://localhost:5000/v2/busybox/tags/list
{"name":"busybox","tags":["b1"]}
[root@localhost ~]# podman rmi localhost:5000/busybox:b1
Untagged: localhost:5000/busybox:b1
[root@localhost ~]# podman pull --tls-verify=false localhost:5000/busybox:b1
Trying to pull localhost:5000/busybox:b1...
Getting image source signatures
Copying blob b4d7414fe11d skipped: already exists
Copying config 7a80323521 done
Writing manifest to image destination
Storing signatures
7a80323521ccd4c2b4b423fa6e38e5cea156600f40cd855e464cc52a321a24dd
2. Podman远程客户端
//在服务器上开启podman套接字
[root@localhost ~]# systemctl start podman //启动podman服务套接字也会自动启动
[root@localhost ~]# systemctl status podman.socket
● podman.socket - Podman API Socket
Loaded: loaded (/usr/lib/systemd/system/podman.socket; disabled; vendor preset: disabled)
Active: active (listening) since Tue 2022-08-16 10:01:13 +03; 2min 20s ago
Docs: man:podman-system-service(1)
Listen: /run/podman/podman.sock (Stream)
Tasks: 0 (limit: 11201)
Memory: 0B
CGroup: /system.slice/podman.socket
8月 16 10:01:13 localhost.localdomain systemd[1]: Listening on Podman API Socket.
//您需要为此用户启用 linger,以便在用户未登录时套接字正常工作:
[root@localhost ~]# sudo loginctl enable-linger $USER
//仅当您未以 root 身份运行 Podman 时,才需要执行此操作。
//您可以使用简单的 Podman 命令验证套接字是否正在侦听。
[root@localhost ~]# podman --remote info
host:
arch: amd64
buildahVersion: 1.22.3
cgroupControllers:
- cpuset
- cpu
- cpuacct
- blkio
- memory
- devices
- freezer
- net_cls
- perf_event
3. Podman 的基本设置和使用
检查正在运行的容器
加-i忽略大小写
加-l显示最新的容器信息
[root@localhost ~]# podman inspect -l | grep -i addr
"IPAddress": "10.88.0.3",
"GlobalIPv6Address": "",
"MacAddress": "66:07:2e:a0:15:f9",
"LinkLocalIPv6Address": "",
"IPAddress": "10.88.0.3",
"GlobalIPv6Address": "",
"MacAddress": "66:07:2e:a0:15:f9",
查看最新容器的详细信息
[root@localhost ~]# podman inspect -l
[
{
"Id": "3f0c74932f522fb803a55535c8d6575b11306a9cb46646b526bb6ac49a4617bf",
"Created": "2022-08-15T09:54:39.566733972+03:00",
"Path": "sh",
"Args": [
"sh"
],
"State": {
"OciVersion": "1.0.2-dev",
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 2347,
"ConmonPid": 2335,
"ExitCode": 0,
"Error": "",
"StartedAt": "2022-08-15T09:54:40.060832961+03:00",
"FinishedAt": "0001-01-01T00:00:00Z",
"Healthcheck": {
"Status": "",
"FailingStreak": 0,
"Log": null
}
},
查看一个运行中容器的日志
[root@localhost ~]# podman logs --latest
/ # ls
bin dev etc home proc root run sys tmp usr var
/ # exit
查看一个运行容器中的进程资源使用情况
[root@localhost ~]# podman top b1
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 24.152091478s pts/0 0s
# podman search 检索镜像
[root@localhost ~]# podman search busybox
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/busybox Busybox base image. 2711 [OK]
docker.io docker.io/rancher/busybox 0
docker.io docker.io/ibmcom/busybox
0
// podman pull 获取镜像
[root@localhost ~]# podman run -dit --name b1 busybox
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 50783e0dfb64 done
Copying config 7a80323521 done
Writing manifest to image destination
Storing signatures
870a4ff5ba62cb01ad5f9bffd7f3f57e0f60c52459a5ccd092040a50145952f4
# podman images 列出镜像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest 7a80323521cc 2 weeks ago 1.47 MB
# podman rmi 删除镜像
[root@localhost ~]# podman rmi busybox
Untagged: docker.io/library/busybox:latest
Deleted: 7a80323521ccd4c2b4b423fa6e38e5cea156600f40cd855e464cc52a321a24dd
# podman save 导出镜像
[root@localhost ~]# podman save > c1.tar centos
[root@localhost ~]# ls
anaconda-ks.cfg c1.tar c.tar passwd
# podman load 导入镜像
[root@localhost ~]# podman load < c1.tar
Getting image source signatures
Copying blob 2653d992f4ef [----------------------------------] 0.0b / 0.0b
Copying config 300e315adb done
Writing manifest to image destination
Storing signatures
Loaded image(s): quay.io/centos/centos:latest
# 拉取推送镜像
[root@localhost ~]# podman tag quay.io/centos/centos:latest quay.io/renweiwei/test:centos
[root@localhost ~]# podman login
Username: renweiwei
Password:
Login Succeeded!
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
<none> <none> 4795b603305e 52 minutes ago 217 MB
docker.io/library/busybox latest 7a80323521cc 2 weeks ago 1.47 MB
quay.io/renweiwei/test centos 300e315adb2f 20 months ago 217 MB
[root@localhost ~]# podman push docker.io/library/busybox:latest
Getting image source signatures
Copying blob 084326605ab6 [--------------------------------------] 8.0b / 1.4MiB
Error: writing blob: initiating layer upload to /v2/library/busybox/blobs/uploads/ in registry-1.docker.io: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
[root@localhost ~]# podman pull docker.io/library/busybox:latest
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 50783e0dfb64 [--------------------------------------] 0.0b / 0.0b
Copying config 7a80323521 done
Writing manifest to image destination
Storing signatures
7a80323521ccd4c2b4b423fa6e38e5cea156600f40cd855e464cc52a321a24dd