podman进阶

podman故障排除

网络设置

//首先先定义一个别名,podman等于docker
[root@localhost ~]# alias docker=podman
[root@localhost ~]# alias
alias cp='cp -i'
alias docker='podman'
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
alias grep='grep --color=auto'
alias l.='ls -d .* --color=auto'
alias ll='ls -l --color=auto'
alias ls='ls --color=auto'
alias mv='mv -i'

//运行两个容器
[root@localhost ~]# podman run -it docker.io/library/busybox /bin/sh
/ #  ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether ce:ef:d3:9e:e5:86 brd ff:ff:ff:ff:ff:ff
    inet 10.88.0.2/16 brd 10.88.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::ccef:d3ff:fe9e:e586/64 scope link 
       valid_lft forever preferred_lft forever


[root@localhost ~]# podman run -it docker.io/library/busybox /bin/sh
/ # 
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether d2:42:5c:7f:b5:5c brd ff:ff:ff:ff:ff:ff
    inet 10.88.0.3/16 brd 10.88.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::d042:5cff:fe7f:b55c/64 scope link 
       valid_lft forever preferred_lft forever
//ping能ping通
/ # ping 10.88.0.3
PING 10.88.0.3 (10.88.0.3): 56 data bytes
64 bytes from 10.88.0.3: seq=0 ttl=64 time=0.041 ms
64 bytes from 10.88.0.3: seq=1 ttl=64 time=0.040 ms
64 bytes from 10.88.0.3: seq=2 ttl=64 time=0.034 ms
^Z[1]+  Stopped                    ping 10.88.0.3



cni:Container Network Interface(容器网络接口)

//容器启动时会生成网卡,容器退出后网卡也会没有,但cni网卡依然存在
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:0d:28:93 brd ff:ff:ff:ff:ff:ff
    inet 192.168.47.164/24 brd 192.168.47.255 scope global dynamic noprefixroute ens33
       valid_lft 1312sec preferred_lft 1312sec
    inet6 fe80::7f17:7566:4adf:f2cd/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 86:40:c8:13:13:5f brd ff:ff:ff:ff:ff:ff
    inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
       valid_lft forever preferred_lft forever
    inet6 fe80::8440:c8ff:fe13:135f/64 scope link 
       valid_lft forever preferred_lft forever
4: vethd5f6f81e@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default 
    link/ether e6:7c:83:34:e8:9e brd ff:ff:ff:ff:ff:ff link-netns cni-f8e06840-f838-325f-98b0-9a6a14977430
    inet6 fe80::e47c:83ff:fe34:e89e/64 scope link 
       valid_lft forever preferred_lft forever
5: veth3cd5a4b7@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default 
    link/ether a2:7f:ab:54:52:ee brd ff:ff:ff:ff:ff:ff link-netns cni-cbd03cfe-f61f-b3fd-da8d-4cb7be07dad0
    inet6 fe80::a07f:abff:fe54:52ee/64 scope link 
       valid_lft forever preferred_lft forever
//在这里把上面两个容器退出
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:0d:28:93 brd ff:ff:ff:ff:ff:ff
    inet 192.168.47.164/24 brd 192.168.47.255 scope global dynamic noprefixroute ens33
       valid_lft 1156sec preferred_lft 1156sec
    inet6 fe80::7f17:7566:4adf:f2cd/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: cni-podman0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 86:40:c8:13:13:5f brd ff:ff:ff:ff:ff:ff
    inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
       valid_lft forever preferred_lft forever
    inet6 fe80::8440:c8ff:fe13:135f/64 scope link 
       valid_lft forever preferred_lft forever

podman防火墙规则

//查看防火墙规则,现在没有规则
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
//运行一个容器,映射80端口
[root@localhost ~]# podman run -d -p 80:80 --name web docker.io/library/httpd
7fa2fc2390f81018f72606bfd586cc776b091aeedf0a40f816e39a88248e81a0
//查看端口映射
[root@localhost ~]# podman port web
80/tcp -> 0.0.0.0:80
//查看防火墙规则,发现多了一条
[root@localhost ~]# iptables -t nat -nvL
Chain CNI-807cc9c30b332fae8a5f041a (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            10.88.0.0/16         /* name: "podman" id: "7fa2fc2390f81018f72606bfd586cc776b091aeedf0a40f816e39a88248e81a0" */

//查看IP能访问
[root@localhost ~]# podman inspect -l|grep -i address
            "IPAddress": "10.88.0.4",
            "GlobalIPv6Address": "",
            "MacAddress": "76:45:02:92:6b:83",
            "LinkLocalIPv6Address": "",
                    "IPAddress": "10.88.0.4",
                    "GlobalIPv6Address": "",
                    "MacAddress": "76:45:02:92:6b:83",
[root@localhost ~]# curl 10.88.0.4
<html><body><h1>It works!</h1></body></html>
//清空防火墙规则
[root@localhost ~]# iptables --flush #刷新
[root@localhost ~]# iptables -t nat -F #指定表清空
[root@localhost ~]# iptables -t nat -nvL #规则已被清空
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
//规则删除后发现访问不了
[root@localhost ~]# curl 10.88.0.4
curl: (7) Failed to connect to 10.88.0.4 port 80: 没有到主机的路由

//使用podman network reload 命令重新加载,规则存在
[root@localhost ~]# podman network reload web
7fa2fc2390f81018f72606bfd586cc776b091aeedf0a40f816e39a88248e81a0
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CNI-HOSTPORT-DNAT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         


配置文件

//podman的桥配置文件,容器里面的IP可通过这个控制
[root@localhost ~]# cat /etc/cni/net.d/87-podman.conflist 
{
  "cniVersion": "0.4.0",
  "name": "podman",
  "plugins": [
    {
      "type": "bridge",   #模式
      "bridge": "cni-podman0",   #桥的名字
      "isGateway": true,   #是不是网关
      "ipMasq": true,
      "hairpinMode": true,
      "ipam": {
        "type": "host-local",
        "routes": [{ "dst": "0.0.0.0/0" }],
        "ranges": [
          [
            {
              "subnet": "10.88.0.0/16",
              "gateway": "10.88.0.1"
            }
          ]
        ]
      }
    },
    {
      "type": "portmap",  #端口映射
      "capabilities": {
        "portMappings": true
      }
    },
    {
      "type": "firewall"
    },
    {
      "type": "tuning"
    }
  ]
}

查看子命令的用法

//查看attach这个子命令的用法
[root@localhost ~]# man podman-attach
EXAMPLES
       Attach to a container called "foobar".

              $ podman attach foobar

       Attach to the latest created container.

              $ podman attach --latest

       Attach to a container that start with the ID "1234".

              $ podman attach 1234

       Attach to a container without attaching STDIN.

              $ podman attach --no-stdin foobar

SEE ALSO
       podman(1), podman-exec(1), podman-run(1),
       containers.conf(5)

 
~
~
/EXAMPLE  #可在下面搜索例子

基础命令


//指定镜像做的历史
[root@localhost ~]# podman history docker.io/library/busybox
ID            CREATED     CREATED BY                                     SIZE        COMMENT
ffe9d497c324  6 days ago  /bin/sh -c #(nop)  CMD ["sh"]                  0 B         
<missing>     6 days ago  /bin/sh -c #(nop) ADD file:e2d2d9591696b14...  1.46 MB  

//使用iamge管理镜像,使用images看镜像   
[root@localhost ~]# podman image --help
Manage images

Description:
  Manage images

Usage:
  podman image [command]

Available Commands:
  build       Build an image using instructions from Containerfiles
  diff        Inspect changes to the image's file systems
  exists      Check if an image exists in local storage
  history     Show history of a specified image
  import      Import a tarball to create a filesystem image
  inspect     Display the configuration of an image
  list        List images in local storage
  load        Load image(s) from a tar archive
  mount       Mount an image's root filesystem
  prune       Remove unused images
  pull        Pull an image from a registry
  push        Push an image to a specified destination
  rm          Removes one or more images from local storage
  save        Save image(s) to an archive
  scp         securely copy images
  search      Search registry for image
  sign        Sign an image
  tag         Add an additional name to a local image
  tree        Prints layer hierarchy of an image in a tree format
  trust       Manage container image trust policy
  unmount     Unmount an image's root filesystem
  untag       Remove a name from a local image
  
//查看镜像有几层
[root@localhost ~]# podman image tree docker.io/my922/nginx
Image ID: c69af231e7f6
Tags:     [localhost/nginx:latest docker.io/my922/nginx:latest]
Size:     565.4MB
Image Layers
├── ID: 74ddd0ec08fa Size: 238.6MB Top Layer of: [docker.io/library/centos:latest]
├── ID: d253d66bdbee Size: 6.723MB
└── ID: 60c95eeded28 Size: 320.1MB Top Layer of: [localhost/nginx:latest docker.io/my922/nginx:latest]

//查看详细信息
[root@localhost ~]# podman info
host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  - rdma
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.30-1.module_el8.6.0+944+d413f95e.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.30, commit: e28f6ed9f4a6f18e27f3efdab92de483806e6b9c'

设置开机自启


//先创建一个容器,不启动
[root@localhost ~]# podman create --name nginx nginx:latest
[root@localhost ~]# podman ps -a
CONTAINER ID  IMAGE                   COMMAND               CREATED         STATUS      PORTS       NAMES
59ceb04e76fc  localhost/nginx:latest  nginx -g daemon o...  35 seconds ago  Created                 nginx

//生成service文件,但是此命令光生成找不到文件,建议用下一条命令
[root@localhost ~]# podman generate systemd --restart-policy=always -t 1 nginx
# container-59ceb04e76fc859f57cee88ac813534945dbeddd3c88229017151e031fb52a9e.service
# autogenerated by Podman 3.4.1-dev
# Tue Dec 14 22:22:56 CST 2021

[Unit]
Description=Podman container-59ceb04e76fc859f57cee88ac813534945dbeddd3c88229017151e031fb52a9e.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=/run/containers/storage

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=always
TimeoutStopSec=61
ExecStart=/usr/bin/podman start 59ceb04e76fc859f57cee88ac813534945dbeddd3c88229017151e031fb52a9e
ExecStop=/usr/bin/podman stop -t 1 59ceb04e76fc859f57cee88ac813534945dbeddd3c88229017151e031fb52a9e
ExecStopPost=/usr/bin/podman stop -t 1 59ceb04e76fc859f57cee88ac813534945dbeddd3c88229017151e031fb52a9e
PIDFile=/run/containers/storage/overlay-containers/59ceb04e76fc859f57cee88ac813534945dbeddd3c88229017151e031fb52a9e/userdata/conmon.pid
Type=forking

[Install]
WantedBy=multi-user.target default.target

//生成service文件,把nginx容器生成一个文件,指定文件名
[root@localhost ~]# podman generate systemd --files --name nginx
/root/container-nginx.service,查看状态

//把文件移动到systemd
[root@localhost ~]# mv container-nginx.service /usr/lib/systemd/system/
[root@localhost ~]# systemctl status container-nginx
● container-nginx.service - Podman container-nginx.service
   Loaded: loaded (/usr/lib/systemd/system/container-nginx.serv>
   Active: inactive (dead)
     Docs: man:podman-generate-systemd(1)
     
//把容器设置开机自启
[root@localhost ~]# systemctl enable --now container-nginx
Created symlink /etc/systemd/system/multi-user.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service.
Created symlink /etc/systemd/system/default.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service.


使用普通用户设置开机自启

//切换到普通用户
[root@localhost ~]# su - tom
上一次登录:二 1214 19:08:41 CST 2021pts/2 上
[tom@localhost ~]$ podman ps -a
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

//创建一个容器
[tom@localhost ~]$ podman run --name web -d nginx
✔ docker.io/library/nginx:latest
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 881ff011f1c9 done  
Copying blob 21e0df283cd6 [>------------------] 1.7MiB / 24.2MiB
Copying blob e5ae68f74026 [>------------------] 1.0MiB / 29.9MiB
Copying blob ed835de16acd done  
Copying blob 77700c52c969 done  
Copying blob 44be98c0fab6 done  
[tom@localhost ~]$ podman ps
CONTAINER ID  IMAGE                           COMMAND               CREATED             STATUS                 PORTS       NAMES
dcc006816f20  docker.io/library/nginx:latest  nginx -g daemon o...  About a minute ago  Up About a minute ago              web

//创建一个用户
[tom@localhost ~]$ cd .config/
[tom@localhost .config]$ ls
cni
[tom@localhost .config]$ mkdir systemd/user -p
[tom@localhost .config]$ tree
.
├── cni
│   └── net.d
│       └── 87-podman.conflist
└── systemd
    └── user
//生成service文件
[tom@localhost user]$ pwd
/home/tom/.config/systemd/user
[tom@localhost user]$ podman generate systemd --files --name web
/home/tom/.config/systemd/user/container-web.service

//先停掉容器
[tom@localhost user]$ podman stop web
web
[tom@localhost user]$ podman ps -a
CONTAINER ID  IMAGE                           COMMAND               CREATED        STATUS                    PORTS       NAMES
dcc006816f20  docker.io/library/nginx:latest  nginx -g daemon o...  5 minutes ago  Exited (0) 5 seconds ago              web

//加载
[tom@localhost user]$ systemctl daemon-reload
==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ====
Authentication is required to reload the systemd state.
Authenticating as: root
Password: 
==== AUTHENTICATION COMPLETE ====


  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值