podman(三）

最新推荐文章于 2022-08-18 09:15:48 发布

" vivian

最新推荐文章于 2022-08-18 09:15:48 发布

阅读量145

点赞数

文章标签： docker 运维 linux

本文链接：https://blog.csdn.net/m0_56681539/article/details/126365813

版权

podman(三）

1.如何使用 Podman 对容器映像进行签名和分发

对容器映像进行签名源于仅信任专用映像提供程序的动机，以缓解中间人（MITM）攻击或对容器注册表的攻击。对图像进行签名的一种方法是使用 GNU 隐私卫士（GPG）密钥。此技术通常与任何符合 OCI 的容器注册表（如 Quay.io）兼容。值得一提的是，OpenShift 集成容器注册表开箱即用地支持这种签名机制，这使得单独的签名存储变得不必要。

// 在本地机器上启动一个容器注册表
[root@localhost ~]# sudo podman run -d -p 5000:5000 docker.io/registry
Trying to pull docker.io/library/registry:latest...
Getting image source signatures
Copying blob 213ec9aee27d done  
Copying blob 5299e6f78605 done  
Copying blob 4c2fb79b7ce6 done  
Copying blob 44c4c74a95e4 done  
Copying blob 74a97d2d84d9 done  
Copying config 3a0f7b0a13 done  
Writing manifest to image destination
Storing signatures
a995662c3661cbd71193ebcebbbb5fa25e21b14e69737b11a45b43091e409967

//修改标签
[root@localhost ~]# podman tag docker.io/library/busybox:latest localhost:5000/busybox:b1
//推送镜像
[root@localhost ~]# podman push  --tls-verify=false   localhost:5000/busybox:b1
Getting image source signatures
Copying blob 084326605ab6 done  
Copying config 7a80323521 done  
Writing manifest to image destination
Storing signatures
[root@localhost ~]# curl http://localhost:5000/v2/busybox/tags/list
{"name":"busybox","tags":["b1"]}
[root@localhost ~]# podman rmi     localhost:5000/busybox:b1
Untagged: localhost:5000/busybox:b1
[root@localhost ~]# podman pull  --tls-verify=false   localhost:5000/busybox:b1
Trying to pull localhost:5000/busybox:b1...
Getting image source signatures
Copying blob b4d7414fe11d skipped: already exists  
Copying config 7a80323521 done  
Writing manifest to image destination
Storing signatures
7a80323521ccd4c2b4b423fa6e38e5cea156600f40cd855e464cc52a321a24dd

2. Podman远程客户端

//在服务器上开启podman套接字
[root@localhost ~]# systemctl start podman    //启动podman服务套接字也会自动启动
[root@localhost ~]# systemctl status podman.socket
● podman.socket - Podman API Socket
   Loaded: loaded (/usr/lib/systemd/system/podman.socket; disabled; vendor preset: disabled)
   Active: active (listening) since Tue 2022-08-16 10:01:13 +03; 2min 20s ago
     Docs: man:podman-system-service(1)
   Listen: /run/podman/podman.sock (Stream)
    Tasks: 0 (limit: 11201)
   Memory: 0B
   CGroup: /system.slice/podman.socket

8月 16 10:01:13 localhost.localdomain systemd[1]: Listening on Podman API Socket.

//您需要为此用户启用 linger，以便在用户未登录时套接字正常工作：

[root@localhost ~]# sudo loginctl enable-linger $USER
//仅当您未以 root 身份运行 Podman 时，才需要执行此操作。
//您可以使用简单的 Podman 命令验证套接字是否正在侦听。
[root@localhost ~]# podman --remote info
host:
  arch: amd64
  buildahVersion: 1.22.3
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event

3. Podman 的基本设置和使用

检查正在运行的容器

加-i忽略大小写
加-l显示最新的容器信息

[root@localhost ~]# podman inspect -l | grep -i addr
            "IPAddress": "10.88.0.3",
            "GlobalIPv6Address": "",
            "MacAddress": "66:07:2e:a0:15:f9",
            "LinkLocalIPv6Address": "",
                    "IPAddress": "10.88.0.3",
                    "GlobalIPv6Address": "",
                    "MacAddress": "66:07:2e:a0:15:f9",

查看最新容器的详细信息

[root@localhost ~]# podman inspect -l
[
    {
        "Id": "3f0c74932f522fb803a55535c8d6575b11306a9cb46646b526bb6ac49a4617bf",
        "Created": "2022-08-15T09:54:39.566733972+03:00",
        "Path": "sh",
        "Args": [
            "sh"
        ],
        "State": {
            "OciVersion": "1.0.2-dev",
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 2347,
            "ConmonPid": 2335,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2022-08-15T09:54:40.060832961+03:00",
            "FinishedAt": "0001-01-01T00:00:00Z",
            "Healthcheck": {
                "Status": "",
                "FailingStreak": 0,
                "Log": null
            }
        },

查看一个运行中容器的日志

[root@localhost ~]# podman logs --latest
/ # ls
bin   dev   etc   home  proc  root  run   sys   tmp   usr   var
/ # exit

查看一个运行容器中的进程资源使用情况

[root@localhost ~]# podman top b1
USER        PID         PPID        %CPU        ELAPSED        TTY         TIME        COMMAND
root        1           0           0.000       24.152091478s  pts/0       0s

# podman search 检索镜像
[root@localhost ~]# podman search busybox
INDEX       NAME                                         DESCRIPTION                                      STARS       OFFICIAL    AUTOMATED
docker.io   docker.io/library/busybox                    Busybox base image.                              2711        [OK]        
docker.io   docker.io/rancher/busybox                                                                     0                       
docker.io   docker.io/ibmcom/busybox   
                                                                   0              
// podman pull 获取镜像
[root@localhost ~]# podman run -dit --name b1 busybox
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 50783e0dfb64 done  
Copying config 7a80323521 done  
Writing manifest to image destination
Storing signatures
870a4ff5ba62cb01ad5f9bffd7f3f57e0f60c52459a5ccd092040a50145952f4

# podman images 列出镜像
[root@localhost ~]# podman images
REPOSITORY                 TAG         IMAGE ID      CREATED      SIZE
docker.io/library/busybox  latest      7a80323521cc  2 weeks ago  1.47 MB

# podman rmi 删除镜像
[root@localhost ~]#  podman rmi busybox
Untagged: docker.io/library/busybox:latest
Deleted: 7a80323521ccd4c2b4b423fa6e38e5cea156600f40cd855e464cc52a321a24dd

# podman save 导出镜像
[root@localhost ~]# podman save > c1.tar centos
[root@localhost ~]# ls
anaconda-ks.cfg  c1.tar  c.tar  passwd

# podman load 导入镜像
[root@localhost ~]# podman load < c1.tar 
Getting image source signatures
Copying blob 2653d992f4ef [----------------------------------] 0.0b / 0.0b
Copying config 300e315adb done  
Writing manifest to image destination
Storing signatures
Loaded image(s): quay.io/centos/centos:latest

# 拉取推送镜像
[root@localhost ~]# podman tag quay.io/centos/centos:latest  quay.io/renweiwei/test:centos

[root@localhost ~]# podman login
Username: renweiwei
Password: 
Login Succeeded!
[root@localhost ~]# podman images
REPOSITORY                 TAG         IMAGE ID      CREATED         SIZE
<none>                     <none>      4795b603305e  52 minutes ago  217 MB
docker.io/library/busybox  latest      7a80323521cc  2 weeks ago     1.47 MB
quay.io/renweiwei/test     centos      300e315adb2f  20 months ago   217 MB


[root@localhost ~]# podman push docker.io/library/busybox:latest
Getting image source signatures
Copying blob 084326605ab6 [--------------------------------------] 8.0b / 1.4MiB
Error: writing blob: initiating layer upload to /v2/library/busybox/blobs/uploads/ in registry-1.docker.io: errors:
denied: requested access to the resource is denied
unauthorized: authentication required

[root@localhost ~]# podman pull docker.io/library/busybox:latest
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 50783e0dfb64 [--------------------------------------] 0.0b / 0.0b
Copying config 7a80323521 done  
Writing manifest to image destination
Storing signatures
7a80323521ccd4c2b4b423fa6e38e5cea156600f40cd855e464cc52a321a24dd

" vivian

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
podman(三）

对容器映像进行签名源于仅信任专用映像提供程序的动机，以缓解中间人（MITM）攻击或对容器注册表的攻击。对图像进行签名的一种方法是使用 GNU 隐私卫士（GPG）密钥。此技术通常与任何符合 OCI 的容器注册表（如 Quay.io）兼容。值得一提的是，OpenShift 集成容器注册表开箱即用地支持这种签名机制，这使得单独的签名存储变得不必要。...
复制链接

扫一扫