podman基本设置及应用
文章目录
熟悉 Podman
Podman 是作为 libpod 库的一部分提供的实用程序。它可用于创建和维护容器。以下教程将教您如何设置 Podman 并使用 Podman 执行一些基本命令。
运行容器
[root@localhost ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob 7692efc5f81c skipped: already exists
Copying blob aaf5ad2e1aa3 done
Copying blob d77ff9f653ce done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
6ddfa02a1667fd0145327306363c9f7351e55af007f835b4a32dbb7eac2011da
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6ddfa02a1667 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 8 seconds ago Up 9 seconds ago 0.0.0.0:8080->8080/tcp quirky_mestorf
//检查正在运行的容器
[root@localhost ~]# podman inspect -l | grep -i ipaddress
"IPAddress": "10.88.0.5",
"IPAddress": "10.88.0.5",
-l 是最新容器的方便参数。您也可以使用容器的 ID 代替 -l。
测试 httpd 服务器
[root@localhost ~]# curl http://localhost:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test Page for the Apache HTTP Server on Fedora</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
/*<![CDATA[*/
body {
background-color: #fff;
color: #000;
font-size: 0.9em;
font-family: sans-serif,helvetica;
margin: 0;
padding: 0;
}
:link {
color: #c00;
}
:visited {
color: #c00;
}
a:hover {
color: #f50;
}
h1 {
text-align: center;
margin: 0;
padding: 0.6em 2em 0.4em;
background-color: #22437f;
color: #fff;
font-weight: normal;
font-size: 1.75em;
border-bottom: 2px solid #000;
}
h1 strong {
font-weight: bold;
}
h2 {
font-size: 1.1em;
font-weight: bold;
}
hr {
display: none;
}
.content {
padding: 1em 5em;
}
.content-columns {
/* Setting relative positioning allows for
absolute positioning for sub-classes */
position: relative;
padding-top: 1em;
}
.content-column-left {
/* Value for IE/Win; will be overwritten for other browsers */
width: 47%;
padding-right: 3%;
float: left;
padding-bottom: 2em;
}
.content-column-left hr {
display: none;
}
.content-column-right {
/* Values for IE/Win; will be overwritten for other browsers */
width: 47%;
padding-left: 3%;
float: left;
padding-bottom: 2em;
}
.content-columns>.content-column-left, .content-columns>.content-column-right {
/* Non-IE/Win */
}
img {
border: 2px solid #fff;
padding: 2px;
margin: 2px;
}
a:hover img {
border: 2px solid #f50;
}
/*]]>*/
</style>
</head>
<body>
<h1>Fedora <strong>Test Page</strong></h1>
<div class="content">
<div class="content-middle">
<p>This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page, it means that the web server installed at this site is working properly, but has not yet been configured.</p>
</div>
<hr />
<div class="content-columns">
<div class="content-column-left">
<h2>If you are a member of the general public:</h2>
......................................................................
</div>
</div>
</div>
</div>
</body>
</html>
[root@localhost ~]# podman port -l
8080/tcp -> 0.0.0.0:8080
查看容器的日志
[root@localhost ~]# podman logs --latest
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.5. Set the 'ServerName' directive globally to suppress this message
[Mon Aug 15 10:37:49.786995 2022] [ssl:warn] [pid 1:tid 140152331300224] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1b FIPS 26 Feb 2019, version currently loaded is OpenSSL 1.1.1 FIPS 11 Sep 2018) - may result in undefined or erroneous behavior
[Mon Aug 15 10:37:49.791848 2022] [ssl:warn] [pid 1:tid 140152331300224] AH01909: 10.88.0.5:8443:0 server certificate does NOT include an ID which matches the server name
[Mon Aug 15 10:37:49.852100 2022] [ssl:warn] [pid 1:tid 140152331300224] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1b FIPS 26 Feb 2019, version currently loaded is OpenSSL 1.1.1 FIPS 11 Sep 2018) - may result in undefined or erroneous behavior
[Mon Aug 15 10:37:49.852718 2022] [ssl:warn] [pid 1:tid 140152331300224] AH01909: 10.88.0.5:8443:0 server certificate does NOT include an ID which matches the server name
...............................................................
[Mon Aug 15 10:45:23.412089 2022] [autoindex:error] [pid 27:tid 140151661508352] [client 192.168.205.1:51201] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive
192.168.205.1 - - [15/Aug/2022:10:45:23 +0000] "GET / HTTP/1.1" 403 4650 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 Edg/104.0.1293.54"
访问页面
查看容器的 pid
[root@localhost ~]#
[root@localhost ~]# podman top -l
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
default 1 0 0.000 9m55.631375756s pts/0 0s httpd -D FOREGROUND
default 22 1 0.000 9m55.631549816s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 23 1 0.000 9m55.631603271s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 24 1 0.000 9m55.631652934s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 25 1 0.000 9m55.631679293s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 26 1 0.000 9m55.631704786s pts/0 0s httpd -D FOREGROUND
default 27 1 0.000 9m55.631728552s pts/0 0s httpd -D FOREGROUND
default 28 1 0.000 9m55.631754694s pts/0 0s httpd -D FOREGROUND
default 30 1 0.000 9m55.631778613s pts/0 0s httpd -D FOREGROUND
default 241 1 0.000 1m49.631801225s pts/0 0s httpd -D FOREGROUND
检查点容器
//停止容器
[root@localhost ~]# podman container checkpoint -l
6ddfa02a1667fd0145327306363c9f7351e55af007f835b4a32dbb7eac2011da
//恢复容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# podman container restore -l
6ddfa02a1667fd0145327306363c9f7351e55af007f835b4a32dbb7eac2011da
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6ddfa02a1667 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 12 minutes ago Up 12 minutes ago 0.0.0.0:8080->8080/tcp quirky_mestorf
如何使用 Podman 签署和分发容器镜像
签署容器镜像的动机是只信任专门的镜像提供者以减轻中间人(MITM)攻击或对容器注册表的攻击。签署图像的一种方法是使用GNU Privacy Guard ( GPG)密钥。这种技术通常与任何符合OCI的容器注册表兼容,例如Quay.io。值得一提的是,OpenShift集成容器注册表开箱即用地支持这种签名机制,这使得单独的签名存储变得不必要。
//启动容器
[root@localhost ~]# podman run -d -p 5000:5000 docker.io/registry
Trying to pull docker.io/library/registry:latest...
Getting image source signatures
Copying blob 3790aef225b9 done
Copying blob e2ead8259a04 done
Copying blob 0d96da54f60b done
Copying blob 79e9f2f55bf5 done
Copying blob 5b27040df4a2 done
Copying config b8604a3fe8 done
Writing manifest to image destination
Storing signatures
887b6bd66d63a90540f8f3fc99a40acb8785387fef8a44ca61c09362837f91a8
//拉取镜像
[root@localhost ~]# podman pull docker://docker.io/alpine:latest
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 59bf1c3509f3 done
Copying config c059bfaa84 done
Writing manifest to image destination
Storing signatures
c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
[root@localhost ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
[root@localhost ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:5000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8080 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@localhost ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
[root@localhost ~]# podman tag alpine localhost:5000/alpine
[root@localhost ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
localhost:5000/alpine latest c059bfaa849c 8 months ago 5.87 MB
修改配置文件
[root@localhost ~]# cd /etc/containers/
[root@localhost containers]# ls
certs.d policy.json registries.conf.d storage.conf
oci registries.conf registries.d
[root@localhost containers]# cd registries.d
[root@localhost registries.d]# ls
default.yaml registry.redhat.io.yaml
registry.access.redhat.com.yaml
[root@localhost registries.d]# vim default.yaml
sigstore: http://localhost:8000
生成一个密钥
[root@localhost ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: sgrunert@suse.com
Email address: sgrunert@suse.com
Comment: yyds
You selected this USER-ID:
"sgrunert@suse.com (yyds) <sgrunert@suse.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 64D2A5BE2728E7D6 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/CC56FE9969EF5624FCE802A764D2A5BE2728E7D6.rev'
public and secret key created and signed.
pub rsa2048 2022-08-15 [SC]
CC56FE9969EF5624FCE802A764D2A5BE2728E7D6
uid sgrunert@suse.com (yyds) <sgrunert@suse.com>
sub rsa2048 2022-08-15 [E]
[root@localhost ~]# gpg --list-keys sgrunert@suse.com
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub rsa2048 2022-08-15 [SC]
CC56FE9969EF5624FCE802A764D2A5BE2728E7D6
uid [ultimate] sgrunert@suse.com (yyds) <sgrunert@suse.com>
sub rsa2048 2022-08-15 [E]
推送并签署
[root@localhost ~]# podman push --tls-verify=false --sign-by sgrunert@suse.com localhost:5000/alpine
Getting image source signatures
Copying blob 8d3ac3489996 done
Copying config c059bfaa84 done
Writing manifest to image destination
Signing manifest
Storing signatures
//推送
[root@localhost ~]# ls /var/lib/containers/sigstore/
'alpine@sha256=a65d71e7a88c3a63246ec299abb0dcec671579ac0af199d96e2a82339f061199'
[root@localhost ~]# bash -c 'cd /var/lib/containers/sigstore && python3 -m http.server'
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 5 0.0.0.0:8000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:5000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8080 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
//添加规则
[root@localhost ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=192.168.205.0/24 port port=8000 protocol=tcp accept' --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
访问
删除本地图像
[root@localhost ~]# podman rmi docker.io/alpine localhost:5000/alpine
Untagged: docker.io/library/alpine:latest
Untagged: localhost:5000/alpine:latest
Deleted: c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
podman的常用指令
//管理容器
[root@localhost ~]# podman container
Manage containers
Description:
Manage containers
Usage:
podman container [command]
Available Commands:
attach Attach to a running container
checkpoint Checkpoints one or more containers
cleanup Cleanup network and mountpoints of one or more containers
commit Create new image based on the changed container
cp Copy files/folders between a container and the local filesystem
create Create but do not start a container
diff Inspect changes to the container's file systems
exec Run a process in a running container
exists Check if a container exists in local storage
export Export container's filesystem contents as a tar archive
init Initialize one or more containers
inspect Display the configuration of a container
kill Kill one or more running containers with a specific signal
list List containers
logs Fetch the logs of one or more containers
mount Mount a working container's root filesystem
pause Pause all the processes in one or more containers
port List port mappings or a specific mapping for the container
prune Remove all non running containers
ps List containers
rename Rename an existing container
restart Restart one or more containers
restore Restores one or more containers from a checkpoint
rm Remove one or more containers
run Run a command in a new container
runlabel Execute the command described by an image label
start Start one or more containers
stats Display a live stream of container resource usage statistics
stop Stop one or more containers
top Display the running processes of a container
unmount Unmounts working container's root filesystem
unpause Unpause the processes in one or more containers
wait Block on one or more containers
//复制命令
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e0b2c3115119 docker.io/library/busybox:latest sh 6 minutes ago Up 6 minutes ago modest_hellman
[root@localhost ~]# ls
anaconda-ks.cfg
[root@localhost ~]# podman cp anaconda-ks.cfg e0b2c3115119:/
//另一台查看
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# podman run -it busybox
/ # ls
bin etc proc run tmp var
dev home root sys usr
/ # ls
anaconda-ks.cfg home sys
bin proc tmp
dev root usr
etc run var
//只创建不启动
[root@localhost ~]# podman create --name web httpd
d4e4125ed4578d624d28bf1d05e120f16bced71d3f7b88f31e6a953d0ca74873
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f310b5a6107c docker.io/library/busybox:latest sh 24 minutes ago Exited (0) 21 minutes ago blissful_chaum
e0b2c3115119 docker.io/library/busybox:latest sh 13 minutes ago Up 13 minutes ago modest_hellman
d4e4125ed457 docker.io/library/httpd:latest httpd-foreground 2 minutes ago Created web
//检查容器文件系统上的更改
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e0b2c3115119 docker.io/library/busybox:latest sh 16 minutes ago Up 16 minutes ago modest_hellman
[root@localhost ~]# podman diff e0b2c3115119
A /anaconda-ks.cfg
C /root
A /root/.ash_history
C /etc
//进入容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e0b2c3115119 docker.io/library/busybox:latest sh 20 minutes ago Up 20 minutes ago modest_hellman
[root@localhost ~]# podman exec -it e0b2c3115119 /bin/sh
/ #
//检查容器状态
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e0b2c3115119 docker.io/library/busybox:latest sh 22 minutes ago Up 22 minutes ago modest_hellman
[root@localhost ~]# podman healthcheck run e0b2c3115119
Error: container e0b2c3115119144fd41ea4af745b92ceee0772b8a200ef4f69d3c80db2c2bf2d has no defined healthcheck
//查看历史
[root@localhost ~]# podman history centos
ID CREATED CREATED BY SIZE COMMENT
300e315adb2f 20 months ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0 B
<missing> 20 months ago /bin/sh -c #(nop) LABEL org.label-schema.... 0 B
<missing> 20 months ago /bin/sh -c #(nop) ADD file:bd7a2aed6ede423... 217 MB
//管理镜像
[root@localhost ~]# podman image
Manage images
Description:
Manage images
Usage:
podman image [command]
Available Commands:
build Build an image using instructions from Containerfiles
diff Inspect changes to the image's file systems
exists Check if an image exists in local storage
history Show history of a specified image
import Import a tarball to create a filesystem image
inspect Display the configuration of an image
list List images in local storage
load Load image(s) from a tar archive
mount Mount an image's root filesystem
prune Remove unused images
pull Pull an image from a registry
push Push an image to a specified destination
rm Removes one or more images from local storage
save Save image(s) to an archive
scp securely copy images
search Search registry for image
sign Sign an image
tag Add an additional name to a local image
tree Prints layer hierarchy of an image in a tree format
trust Manage container image trust policy
unmount Unmount an image's root filesystem
untag Remove a name from a local image
//查看镜像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest beae173ccac6 7 months ago 1.46 MB
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
quay.io/centos/centos latest 300e315adb2f 20 months ago 217 MB
//显示podman系统信息
[root@localhost ~]# podman info
host:
arch: amd64
buildahVersion: 1.24.1
cgroupControllers:
- cpuset
- cpu
- cpuacct
- blkio
- memory
- devices
- freezer
- net_cls
- perf_event
- net_prio
- hugetlb
- pids
- rdma
....................
//生成结构化数据
[root@localhost ~]# podman run -d --name web -p 80:80 httpd
bd0a480f9940cf203937a4f794bc0566b85e697d507e1d853397d9492a4394f7
[root@localhost ~]# podman generate systemd --name web --files --new
/root/container-web.service
[root@localhost ~]# ls
anaconda-ks.cfg container-web.service
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6ddfa02a1667 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 2 hours ago Up 2 hours ago 0.0.0.0:8080->8080/tcp quirky_mestorf
887b6bd66d63 docker.io/library/registry:latest /etc/docker/regis... 2 hours ago Up 2 hours ago 0.0.0.0:5000->5000/tcp intelligent_germain
bd0a480f9940 docker.io/library/httpd:latest httpd-foreground 2 minutes ago Up 2 minutes ago 0.0.0.0:80->80/tcp web
//列出端口映射或容器的特定映射
[root@localhost ~]# podman port web
80/tcp -> 0.0.0.0:80
//修改名字
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bd0a480f9940 docker.io/library/httpd:latest httpd-foreground 5 minutes ago Up 5 minutes ago 0.0.0.0:80->80/tcp web
[root@localhost ~]# podman rename web yyds
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bd0a480f9940 docker.io/library/httpd:latest httpd-foreground 5 minutes ago Up 5 minutes ago 0.0.0.0:80->80/tcp yyds