podman
文章目录
Podman 的基本设置和使用
Podman 是作为 libpod 库的一部分提供的实用程序。它可用于创建和维护容器。以下是Podman 执行一些基本命令
运行容器
这个示例容器将运行一个非常基本的 httpd 服务器,它只服务于它的索引页面。
[root@localhost ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
> -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
> -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
> registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob d77ff9f653ce done
Copying blob 7692efc5f81c done
Copying blob aaf5ad2e1aa3 done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
51cd0bb77c6a0ff5cb6ba08944e566032ea15a794f84e1d614992d300e87c0cf
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
51cd0bb77c6a registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 59 seconds ago Up 59 seconds ago 0.0.0.0:8080->8080/tcp quirky_tharp
检查正在运行的容器
[root@localhost ~]# podman inspect -l | grep -i ipaddress
"IPAddress": "10.88.0.2",
"IPAddress": "10.88.0.2",
参数:
-l 或--latest 指定最近创建容器
测试 httpd 服务器
[root@localhost ~]# curl http://localhost:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test Page for the Apache HTTP Server on Fedora</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
/*<![CDATA[*/
body {
background-color: #fff;
color: #000;
font-size: 0.9em;
font-family: sans-serif,helvetica;
margin: 0;
padding: 0;
...............
web页面查看结果
通过宿主机加上映射出来的端口进行访问
查看容器的日志
[root@localhost ~]# podman logs --latest
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.2. Set the 'ServerName' directive globally to suppress this message
ing DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive
10.88.0.1 - - [16/Aug/2022:02:14:10 +0000] "GET / HTTP/1.1" 403 4650 "-" "curl/7.61.1"
......
查看容器的进程
可以使用top观察容器中的 httpd pid 。
[root@localhost ~]# podman top -l
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
default 1 0 0.000 7m26.728908091s pts/0 0s httpd -D FOREGROUND
default 23 1 0.000 7m26.729128146s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 24 1 0.000 7m26.729166811s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 25 1 0.000 7m26.729201844s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 26 1 0.000 7m26.729262943s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 27 1 0.000 7m26.729295876s pts/0 0s httpd -D FOREGROUND
default 28 1 0.000 7m26.729325758s pts/0 0s httpd -D FOREGROUND
default 30 1 0.000 7m26.729359671s pts/0 0s httpd -D FOREGROUND
default 41 1 0.000 7m26.729391369s pts/0 0s httpd -D FOREGROUND
检查点容器
[root@localhost ~]# podman container checkpoint -l
51cd0bb77c6a0ff5cb6ba08944e566032ea15a794f84e1d614992d300e87c0cf
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0f5c3eb79fd3 quay.io/centos/centos:latest /bin/bash 35 hours ago Exited (0) 35 hours ago jovial_wozniak
35bf495d5a60 quay.io/centos/centos:latest /bin/bash 35 hours ago Exited (0) 35 hours ago web
51cd0bb77c6a registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 8 minutes ago Exited (0) 37 seconds ago 0.0.0.0:8080->8080/tcp quirky_tharp
## 这就相当于做了个快照
恢复容器
[root@localhost ~]# podman container restore -l
51cd0bb77c6a0ff5cb6ba08944e566032ea15a794f84e1d614992d300e87c0cf
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
51cd0bb77c6a registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 10 minutes ago Up 10 minutes ago 0.0.0.0:8080->8080/tcp quirky_tharp
如何使用 Podman 签署和分发容器镜像
签署容器镜像的动机是只信任专门的镜像提供者以减轻中间人 (MITM) 攻击或对容器注册表的攻击。签署图像的一种方法是使用 GNU Privacy Guard ( GPG ) 密钥。这种技术通常与任何符合 OCI 的容器注册表兼容,例如:Quay.io。值得一提的是,OpenShift 集成容器注册表开箱即用地支持这种签名机制,这使得单独的签名存储变得不必要。
从技术角度来看,我们可以利用 Podman 对镜像进行签名,然后再将其推送到远程注册表。之后,所有运行 Podman 的系统都必须配置为从远程服务器检索签名,远程服务器可以是任何简单的 Web 服务器。这意味着在图像拉取操作期间,每个未签名的图像都将被拒绝。但这是如何工作的?
首先,我们必须创建一个 GPG 密钥对或选择一个已经在本地可用的密钥对。要生成新的 GPG 密钥,只需运行gpg --full-gen-key并按照交互式对话框操作。现在我们应该能够验证密钥在本地是否存在:
//启动容器
[root@localhost ~]# podman run -d -p 5000:5000 docker.io/registry
Trying to pull docker.io/library/registry:latest...
Getting image source signatures
Copying blob 3790aef225b9 done
Copying blob e2ead8259a04 done
Copying blob 0d96da54f60b done
Copying blob 79e9f2f55bf5 done
Copying blob 5b27040df4a2 done
Copying config b8604a3fe8 done
Writing manifest to image destination
Storing signatures
887b6bd66d63a90540f8f3fc99a40acb8785387fef8a44ca61c09362837f91a8
//拉取镜像
[root@localhost ~]# podman pull docker://docker.io/alpine:latest
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 59bf1c3509f3 done
Copying config c059bfaa84 done
Writing manifest to image destination
Storing signatures
c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
[root@localhost ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
[root@localhost ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:5000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8080 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@localhost ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
[root@localhost ~]# podman tag alpine localhost:5000/alpine
[root@localhost ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
localhost:5000/alpine latest c059bfaa849c 8 months ago 5.87 MB
修改配置文件
[root@localhost ~]# cd /etc/containers/
[root@localhost containers]# ls
certs.d policy.json registries.conf.d storage.conf
oci registries.conf registries.d
[root@localhost containers]# cd registries.d
[root@localhost registries.d]# ls
default.yaml registry.redhat.io.yaml
registry.access.redhat.com.yaml
[root@localhost registries.d]# vim default.yaml
sigstore: http://localhost:8000
生成一个密钥
[root@localhost ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: sgrunert@suse.com
Email address: sgrunert@suse.com
Comment: yyds
You selected this USER-ID:
"sgrunert@suse.com (yyds) <sgrunert@suse.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 64D2A5BE2728E7D6 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/CC56FE9969EF5624FCE802A764D2A5BE2728E7D6.rev'
public and secret key created and signed.
pub rsa2048 2022-08-15 [SC]
CC56FE9969EF5624FCE802A764D2A5BE2728E7D6
uid sgrunert@suse.com (yyds) <sgrunert@suse.com>
sub rsa2048 2022-08-15 [E]
[root@localhost ~]# gpg --list-keys sgrunert@suse.com
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub rsa2048 2022-08-15 [SC]
CC56FE9969EF5624FCE802A764D2A5BE2728E7D6
uid [ultimate] sgrunert@suse.com (yyds) <sgrunert@suse.com>
sub rsa2048 2022-08-15 [E]
推送并签署
[root@localhost ~]# podman push --tls-verify=false --sign-by sgrunert@suse.com localhost:5000/alpine
Getting image source signatures
Copying blob 8d3ac3489996 done
Copying config c059bfaa84 done
Writing manifest to image destination
Signing manifest
Storing signatures
//推送
[root@localhost ~]# ls /var/lib/containers/sigstore/
'alpine@sha256=a65d71e7a88c3a63246ec299abb0dcec671579ac0af199d96e2a82339f061199'
[root@localhost ~]# bash -c 'cd /var/lib/containers/sigstore && python3 -m http.server'
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 5 0.0.0.0:8000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:5000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8080 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
//添加规则
[root@localhost ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=192.168.205.0/24 port port=8000 protocol=tcp accept' --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
访问
删除本地图像
[root@localhost ~]# podman rmi docker.io/alpine localhost:5000/alpine
Untagged: docker.io/library/alpine:latest
Untagged: localhost:5000/alpine:latest
Deleted: c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
podman的常用指令
//管理容器
[root@localhost ~]# podman container
Manage containers
Description:
Manage containers
Usage:
podman container [command]
Available Commands:
attach Attach to a running container
checkpoint Checkpoints one or more containers
cleanup Cleanup network and mountpoints of one or more containers
commit Create new image based on the changed container
cp Copy files/folders between a container and the local filesystem
create Create but do not start a container
diff Inspect changes to the container's file systems
exec Run a process in a running container
exists Check if a container exists in local storage
export Export container's filesystem contents as a tar archive
init Initialize one or more containers
inspect Display the configuration of a container
kill Kill one or more running containers with a specific signal
list List containers
logs Fetch the logs of one or more containers
mount Mount a working container's root filesystem
pause Pause all the processes in one or more containers
port List port mappings or a specific mapping for the container
prune Remove all non running containers
ps List containers
rename Rename an existing container
restart Restart one or more containers
restore Restores one or more containers from a checkpoint
rm Remove one or more containers
run Run a command in a new container
runlabel Execute the command described by an image label
start Start one or more containers
stats Display a live stream of container resource usage statistics
stop Stop one or more containers
top Display the running processes of a container
unmount Unmounts working container's root filesystem
unpause Unpause the processes in one or more containers
wait Block on one or more containers
//复制命令
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e0b2c3115119 docker.io/library/busybox:latest sh 6 minutes ago Up 6 minutes ago modest_hellman
[root@localhost ~]# ls
anaconda-ks.cfg
[root@localhost ~]# podman cp anaconda-ks.cfg e0b2c3115119:/
//另一台查看
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# podman run -it busybox
/ # ls
bin etc proc run tmp var
dev home root sys usr
/ # ls
anaconda-ks.cfg home sys
bin proc tmp
dev root usr
etc run var
//只创建不启动
[root@localhost ~]# podman create --name web httpd
d4e4125ed4578d624d28bf1d05e120f16bced71d3f7b88f31e6a953d0ca74873
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f310b5a6107c docker.io/library/busybox:latest sh 24 minutes ago Exited (0) 21 minutes ago blissful_chaum
e0b2c3115119 docker.io/library/busybox:latest sh 13 minutes ago Up 13 minutes ago modest_hellman
d4e4125ed457 docker.io/library/httpd:latest httpd-foreground 2 minutes ago Created web
//检查容器文件系统上的更改
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e0b2c3115119 docker.io/library/busybox:latest sh 16 minutes ago Up 16 minutes ago modest_hellman
[root@localhost ~]# podman diff e0b2c3115119
A /anaconda-ks.cfg
C /root
A /root/.ash_history
C /etc
//进入容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e0b2c3115119 docker.io/library/busybox:latest sh 20 minutes ago Up 20 minutes ago modest_hellman
[root@localhost ~]# podman exec -it e0b2c3115119 /bin/sh
/ #
//检查容器状态
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e0b2c3115119 docker.io/library/busybox:latest sh 22 minutes ago Up 22 minutes ago modest_hellman
[root@localhost ~]# podman healthcheck run e0b2c3115119
Error: container e0b2c3115119144fd41ea4af745b92ceee0772b8a200ef4f69d3c80db2c2bf2d has no defined healthcheck
//查看历史
[root@localhost ~]# podman history centos
ID CREATED CREATED BY SIZE COMMENT
300e315adb2f 20 months ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0 B
<missing> 20 months ago /bin/sh -c #(nop) LABEL org.label-schema.... 0 B
<missing> 20 months ago /bin/sh -c #(nop) ADD file:bd7a2aed6ede423... 217 MB
//管理镜像
[root@localhost ~]# podman image
Manage images
Description:
Manage images
Usage:
podman image [command]
Available Commands:
build Build an image using instructions from Containerfiles
diff Inspect changes to the image's file systems
exists Check if an image exists in local storage
history Show history of a specified image
import Import a tarball to create a filesystem image
inspect Display the configuration of an image
list List images in local storage
load Load image(s) from a tar archive
mount Mount an image's root filesystem
prune Remove unused images
pull Pull an image from a registry
push Push an image to a specified destination
rm Removes one or more images from local storage
save Save image(s) to an archive
scp securely copy images
search Search registry for image
sign Sign an image
tag Add an additional name to a local image
tree Prints layer hierarchy of an image in a tree format
trust Manage container image trust policy
unmount Unmount an image's root filesystem
untag Remove a name from a local image
//查看镜像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest beae173ccac6 7 months ago 1.46 MB
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
quay.io/centos/centos latest 300e315adb2f 20 months ago 217 MB
//显示podman系统信息
[root@localhost ~]# podman info
host:
arch: amd64
buildahVersion: 1.24.1
cgroupControllers:
- cpuset
- cpu
- cpuacct
- blkio
- memory
- devices
- freezer
- net_cls
- perf_event
- net_prio
- hugetlb
- pids
- rdma
....................
//生成结构化数据
[root@localhost ~]# podman run -d --name web -p 80:80 httpd
bd0a480f9940cf203937a4f794bc0566b85e697d507e1d853397d9492a4394f7
[root@localhost ~]# podman generate systemd --name web --files --new
/root/container-web.service
[root@localhost ~]# ls
anaconda-ks.cfg container-web.service
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6ddfa02a1667 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 2 hours ago Up 2 hours ago 0.0.0.0:8080->8080/tcp quirky_mestorf
887b6bd66d63 docker.io/library/registry:latest /etc/docker/regis... 2 hours ago Up 2 hours ago 0.0.0.0:5000->5000/tcp intelligent_germain
bd0a480f9940 docker.io/library/httpd:latest httpd-foreground 2 minutes ago Up 2 minutes ago 0.0.0.0:80->80/tcp web
//列出端口映射或容器的特定映射
[root@localhost ~]# podman port web
80/tcp -> 0.0.0.0:80
//修改名字
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bd0a480f9940 docker.io/library/httpd:latest httpd-foreground 5 minutes ago Up 5 minutes ago 0.0.0.0:80->80/tcp web
[root@localhost ~]# podman rename web yyds
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bd0a480f9940 docker.io/library/httpd:latest