Podman 在 Rootless 环境中的基本设置和使用
文章目录
更改默认的OCI
//安装crun
[root@localhost ~]# yum -y install crun
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 1 day, 23:40:41 ago on Sun Aug 14 18:27:04 2022.
Dependencies resolved.
==================================================================
Package
Arch Version Repo Size
==================================================================
Installing:
crun x86_64 1.4.3-1.module_el8.7.0+1106+45480ee0 appstream 209 k
Installing dependencies:
yajl x86_64 2.1.0-11.el8 appstream 41 k
Transaction Summary
==================================================================
Install 2 Packages
Total download size: 250 k
Installed size: 602 k
Downloading Packages:
(1/2): yajl-2.1.0-11.el8.x86_64.r 50 kB/s | 41 kB 00:00
(2/2): crun-1.4.3-1.module_el8.7. 237 kB/s | 209 kB 00:00
------------------------------------------------------------------
Total 160 kB/s | 250 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : yajl-2.1.0-11.el8.x86_64 1/2
Installing : crun-1.4.3-1.module_el8.7.0+1106+45480 2/2
Running scriptlet: crun-1.4.3-1.module_el8.7.0+1106+45480 2/2
Verifying : crun-1.4.3-1.module_el8.7.0+1106+45480 1/2
Verifying : yajl-2.1.0-11.el8.x86_64 2/2
Installed products updated.
Installed:
crun-1.4.3-1.module_el8.7.0+1106+45480ee0.x86_64
yajl-2.1.0-11.el8.x86_64
Complete!
[root@localhost ~]# vim /usr/share/containers/containers.conf
runtime = "crun" //取消注释
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# podman run -d --name web -p 80:80 httpd
05ee2bc3ece6053e45857ee4a40614162ee89a5e32a6fd1094a25175e695284d
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
05ee2bc3ece6 docker.io/library/httpd:latest httpd-foreground 6 seconds ago Up 6 seconds ago 0.0.0.0:80->80/tcp web
[root@localhost ~]# podman inspect web | grep crun
"OCIRuntime": "crun",
安装slirp4netns
[root@localhost ~]# dnf -y install slirp4netns
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 1 day, 23:30:33 ago on Sun Aug 14 18:27:04 2022.
Package slirp4netns-1.1.8-2.module_el8.7.0+1106+45480ee0.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@localhost ~]# yum -y install fuse-overlayfs
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 1 day, 23:55:07 ago on Sun Aug 14 18:27:04 2022.
Package fuse-overlayfs-1.8.2-1.module_el8.7.0+1106+45480ee0.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@localhost ~]# vim /etc/containers/storage.conf
mount_program = "/usr/bin/fuse-overlayfs" //取消注释
配置/ etc / subuid和/ etc / subgid
[root@localhost ~]# yum -y install shadow-utils
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 1 day, 23:57:59 ago on Sun Aug 14 18:27:04 2022.
Package shadow-utils-2:4.6-12.el8.x86_64 is already installed.
Dependencies resolved.
==================================================================
Package Arch Version Repository Size
==================================================================
Upgrading:
shadow-utils x86_64 2:4.6-17.el8 baseos 1.2 M
Transaction Summary
==================================================================
Upgrade 1 Package
Total download size: 1.2 M
Downloading Packages:
shadow-utils-4.6-17.el8.x86_64.rp 446 kB/s | 1.2 MB 00:02
------------------------------------------------------------------
Total 174 kB/s | 1.2 MB 00:07
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : shadow-utils-2:4.6-17.el8.x86_64 1/2
Cleanup : shadow-utils-2:4.6-12.el8.x86_64 2/2
Running scriptlet: shadow-utils-2:4.6-12.el8.x86_64 2/2
Verifying : shadow-utils-2:4.6-17.el8.x86_64 1/2
Verifying : shadow-utils-2:4.6-12.el8.x86_64 2/2
Installed products updated.
Upgraded:
shadow-utils-2:4.6-17.el8.x86_64
Complete!
[root@localhost ~]# useradd jiang
[root@localhost ~]# cat /etc/subuid
jiang:100000:65536
[root@localhost ~]# cat /etc/subgid
jiang:100000:65536
[root@localhost ~]# vim /etc/sysctl.conf
net.ipv4.ping_group_range=0 200000
//分配的初始 UID
[root@localhost ~]# useradd yyds
[root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 yyds
[root@localhost ~]# cat /etc/subgidjiang:100000:65536
yyds:165536:65536
[root@localhost ~]# cat /etc/subuid
jiang:100000:65536
yyds:165536:65536
修改配置文件
[root@localhost ~]# vim /etc/containers/storage.conf
[storage]
# Default Storage Driver, Must be set for proper operation.
driver = "overlay" #此处改为overlay
.......
mount_program = "/usr/bin/fuse-overlayfs" #取消注释
[root@localhost ~]# vim /etc/sysctl.conf
user.max_user_namespaces=15000 //添加
授权文件
[root@localhost ~]# podman login
Username: 1919756426
Password:
Login Succeeded!
[root@localhost ~]# find / -name auth.json
/run/user/0/containers/auth.json
[root@localhost ~]# cat /run/user/0/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "MTkxOTc1NjQyNjoxOTE5NzU2NDI2"
}
}
}
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest beae173ccac6 7 months ago 1.46 MB
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
docker.io/library/registry latest b8604a3fe854 9 months ago 26.8 MB
quay.io/centos/centos latest 300e315adb2f 20 months ago 217 MB
registry.fedoraproject.org/f29/httpd latest 25c76f9dcdb5 3 years ago 482 MB
[root@localhost ~]# su - jiang
[jiang@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
使用卷
[root@localhost ~]# su - jiang
[jiang@localhost ~]$ pwd
/home/zz
[jiang@localhost ~]$ mkdir /home/jiang/data
[jiang@localhost ~]$ podman run -it -v "$(pwd)"/data:/data docker.io/library/busybox /bin/sh
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 3cb635b06aa2 done
Copying config ffe9d497c3 done
Writing manifest to image destination
Storing signatures
/ # ls
bin data dev etc home proc root run sys tmp usr var
/ # cd data/
/data # ls
/data # touch 123
/data # ls -l
total 0
-rw-r--r-- 1 root root 0 Dec 13 00:17 123
基本网络设置
大多数使用 Podman 运行的容器和 Pod 都遵循几个简单的场景。默认情况下,rootful Podman 将创建一个桥接网络。这是 Podman 最直接和首选的网络设置。桥接网络在内部桥接网络上为容器创建一个接口,然后通过网络地址转换 (NAT) 连接到 Internet。我们还看到用户也希望macvlan
用于网络。这macvlan
插件将整个网络接口从主机转发到容器中,允许它访问主机所连接的网络。最后,无根容器的默认网络配置是 slirp4netns。slirp4netns 网络模式功能有限,但可以在没有 root 权限的用户上运行。它创建从主机到容器的隧道以转发流量。
有根容器网络和无根容器网络之间的区别
odman 容器联网的指导因素之一是容器是否由 root 用户运行。这是因为非特权用户无法在主机上创建网络接口。因此,对于无根容器,默认的网络模式是 slirp4netns。由于权限的限制,slirp4netns 相比 rootful Podman 的联网,缺乏联网的一些特性;例如,slirp4netns 不能给容器一个可路由的 IP 地址。另一端的 rootful 容器的默认联网模式是 netavark,它允许容器有一个可路由的 IP 地址。
[root@localhost ~]# podman run -d httpd
WARN[0000] Ignoring global metacopy option, not supported with booted kernel
9ad7477022e142d319ab76ff9a532e6392ceba9be4770c8e4719475b9f037b99
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
05ee2bc3ece6 docker.io/library/httpd:latest httpd-foreground About an hour ago Up About an hour ago 0.0.0.0:80->80/tcp web
9ad7477022e1 docker.io/library/httpd:latest httpd-foreground 49 seconds ago Up 49 seconds ago nifty_hugle
[root@localhost ~]# podman inspect -l | grep -i address
"IPAddress": "10.88.0.10",
"GlobalIPv6Address": "",
"MacAddress": "12:30:6c:f1:f4:bd",
"LinkLocalIPv6Address": "",
"IPAddress": "10.88.0.10",
"GlobalIPv6Address": "",
"MacAddress": "12:30:6c:f1:f4:bd",
[root@localhost ~]# curl 10.88.0.10
<html><body><h1>It works!</h1></body></html>
//连接
[root@localhost ~]# podman network ls
NETWORK ID NAME DRIVER
2f259bab93aa podman bridge
[root@localhost ~]# podman network create jiang -d bridge
jiang
[root@localhost ~]# podman network ls
NETWORK ID NAME DRIVER
0f31618ba0cf jiang bridge
2f259bab93aa podman bridge