网络设置
//首先先定义一个别名,podman等于docker
[root@localhost ~]# alias docker=podman
[root@localhost ~]# alias
alias cp='cp -i'
alias docker='podman'
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
alias grep='grep --color=auto'
alias l.='ls -d .* --color=auto'
alias ll='ls -l --color=auto'
alias ls='ls --color=auto'
alias mv='mv -i'
//运行两个容器
[root@localhost ~]# podman run -it docker.io/library/busybox /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether ce:ef:d3:9e:e5:86 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.2/16 brd 10.88.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::ccef:d3ff:fe9e:e586/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]# podman run -it docker.io/library/busybox /bin/sh
/ #
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether d2:42:5c:7f:b5:5c brd ff:ff:ff:ff:ff:ff
inet 10.88.0.3/16 brd 10.88.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::d042:5cff:fe7f:b55c/64 scope link
valid_lft forever preferred_lft forever
//ping能ping通
/ # ping 10.88.0.3
PING 10.88.0.3 (10.88.0.3): 56 data bytes
64 bytes from 10.88.0.3: seq=0 ttl=64 time=0.041 ms
64 bytes from 10.88.0.3: seq=1 ttl=64 time=0.040 ms
64 bytes from 10.88.0.3: seq=2 ttl=64 time=0.034 ms
^Z[1]+ Stopped ping 10.88.0.3
cni:Container Network Interface(容器网络接口)
//容器启动时会生成网卡,容器退出后网卡也会没有,但cni网卡依然存在
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:0d:28:93 brd ff:ff:ff:ff:ff:ff
inet 192.168.47.164/24 brd 192.168.47.255 scope global dynamic noprefixroute ens33
valid_lft 1312sec preferred_lft 1312sec
inet6 fe80::7f17:7566:4adf:f2cd/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 86:40:c8:13:13:5f brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::8440:c8ff:fe13:135f/64 scope link
valid_lft forever preferred_lft forever
4: vethd5f6f81e@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether e6:7c:83:34:e8:9e brd ff:ff:ff:ff:ff:ff link-netns cni-f8e06840-f838-325f-98b0-9a6a14977430
inet6 fe80::e47c:83ff:fe34:e89e/64 scope link
valid_lft forever preferred_lft forever
5: veth3cd5a4b7@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether a2:7f:ab:54:52:ee brd ff:ff:ff:ff:ff:ff link-netns cni-cbd03cfe-f61f-b3fd-da8d-4cb7be07dad0
inet6 fe80::a07f:abff:fe54:52ee/64 scope link
valid_lft forever preferred_lft forever
//在这里把上面两个容器退出
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:0d:28:93 brd ff:ff:ff:ff:ff:ff
inet 192.168.47.164/24 brd 192.168.47.255 scope global dynamic noprefixroute ens33
valid_lft 1156sec preferred_lft 1156sec
inet6 fe80::7f17:7566:4adf:f2cd/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 86:40:c8:13:13:5f brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::8440:c8ff:fe13:135f/64 scope link
valid_lft forever preferred_lft forever
podman防火墙规则
//查看防火墙规则,现在没有规则
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
//运行一个容器,映射80端口
[root@localhost ~]# podman run -d -p 80:80 --name web docker.io/library/httpd
7fa2fc2390f81018f72606bfd586cc776b091aeedf0a40f816e39a88248e81a0
//查看端口映射
[root@localhost ~]# podman port web
80/tcp -> 0.0.0.0:80
//查看防火墙规则,发现多了一条
[root@localhost ~]# iptables -t nat -nvL
Chain CNI-807cc9c30b332fae8a5f041a (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 10.88.0.0/16 /* name: "podman" id: "7fa2fc2390f81018f72606bfd586cc776b091aeedf0a40f816e39a88248e81a0" */
//查看IP能访问
[root@localhost ~]# podman inspect -l|grep -i address
"IPAddress": "10.88.0.4",
"GlobalIPv6Address": "",
"MacAddress": "76:45:02:92:6b:83",
"LinkLocalIPv6Address": "",
"IPAddress": "10.88.0.4",
"GlobalIPv6Address": "",
"MacAddress": "76:45:02:92:6b:83",
[root@localhost ~]# curl 10.88.0.4
<html><body><h1>It works!</h1></body></html>
//清空防火墙规则
[root@localhost ~]# iptables --flush #刷新
[root@localhost ~]# iptables -t nat -F #指定表清空
[root@localhost ~]# iptables -t nat -nvL #规则已被清空
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
//规则删除后发现访问不了
[root@localhost ~]# curl 10.88.0.4
curl: (7) Failed to connect to 10.88.0.4 port 80: 没有到主机的路由
//使用podman network reload 命令重新加载,规则存在
[root@localhost ~]# podman network reload web
7fa2fc2390f81018f72606bfd586cc776b091aeedf0a40f816e39a88248e81a0
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
配置文件
//podman的桥配置文件,容器里面的IP可通过这个控制
[root@localhost ~]# cat /etc/cni/net.d/87-podman.conflist
{
"cniVersion": "0.4.0",
"name": "podman",
"plugins": [
{
"type": "bridge", #模式
"bridge": "cni-podman0", #桥的名字
"isGateway": true, #是不是网关
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"routes": [{ "dst": "0.0.0.0/0" }],
"ranges": [
[
{
"subnet": "10.88.0.0/16",
"gateway": "10.88.0.1"
}
]
]
}
},
{
"type": "portmap", #端口映射
"capabilities": {
"portMappings": true
}
},
{
"type": "firewall"
},
{
"type": "tuning"
}
]
}
查看子命令的用法
//查看attach这个子命令的用法
[root@localhost ~]# man podman-attach
EXAMPLES
Attach to a container called "foobar".
$ podman attach foobar
Attach to the latest created container.
$ podman attach --latest
Attach to a container that start with the ID "1234".
$ podman attach 1234
Attach to a container without attaching STDIN.
$ podman attach --no-stdin foobar
SEE ALSO
podman(1), podman-exec(1), podman-run(1),
containers.conf(5)
~
~
/EXAMPLE #可在下面搜索例子
基础命令
//指定镜像做的历史
[root@localhost ~]# podman history docker.io/library/busybox
ID CREATED CREATED BY SIZE COMMENT
ffe9d497c324 6 days ago /bin/sh -c #(nop) CMD ["sh"] 0 B
<missing> 6 days ago /bin/sh -c #(nop) ADD file:e2d2d9591696b14... 1.46 MB
//使用iamge管理镜像,使用images看镜像
[root@localhost ~]# podman image --help
Manage images
Description:
Manage images
Usage:
podman image [command]
Available Commands:
build Build an image using instructions from Containerfiles
diff Inspect changes to the image's file systems
exists Check if an image exists in local storage
history Show history of a specified image
import Import a tarball to create a filesystem image
inspect Display the configuration of an image
list List images in local storage
load Load image(s) from a tar archive
mount Mount an image's root filesystem
prune Remove unused images
pull Pull an image from a registry
push Push an image to a specified destination
rm Removes one or more images from local storage
save Save image(s) to an archive
scp securely copy images
search Search registry for image
sign Sign an image
tag Add an additional name to a local image
tree Prints layer hierarchy of an image in a tree format
trust Manage container image trust policy
unmount Unmount an image's root filesystem
untag Remove a name from a local image
//查看镜像有几层
[root@localhost ~]# podman image tree docker.io/my922/nginx
Image ID: c69af231e7f6
Tags: [localhost/nginx:latest docker.io/my922/nginx:latest]
Size: 565.4MB
Image Layers
├── ID: 74ddd0ec08fa Size: 238.6MB Top Layer of: [docker.io/library/centos:latest]
├── ID: d253d66bdbee Size: 6.723MB
└── ID: 60c95eeded28 Size: 320.1MB Top Layer of: [localhost/nginx:latest docker.io/my922/nginx:latest]
//查看详细信息
[root@localhost ~]# podman info
host:
arch: amd64
buildahVersion: 1.23.1
cgroupControllers:
- cpuset
- cpu
- cpuacct
- blkio
- memory
- devices
- freezer
- net_cls
- perf_event
- net_prio
- hugetlb
- pids
- rdma
cgroupManager: systemd
cgroupVersion: v1
conmon:
package: conmon-2.0.30-1.module_el8.6.0+944+d413f95e.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.0.30, commit: e28f6ed9f4a6f18e27f3efdab92de483806e6b9c'
设置开机自启
//先创建一个容器,不启动
[root@localhost ~]# podman create --name nginx nginx:latest
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
59ceb04e76fc localhost/nginx:latest nginx -g daemon o... 35 seconds ago Created nginx
//生成service文件,但是此命令光生成找不到文件,建议用下一条命令
[root@localhost ~]# podman generate systemd --restart-policy=always -t 1 nginx
# container-59ceb04e76fc859f57cee88ac813534945dbeddd3c88229017151e031fb52a9e.service
# autogenerated by Podman 3.4.1-dev
# Tue Dec 14 22:22:56 CST 2021
[Unit]
Description=Podman container-59ceb04e76fc859f57cee88ac813534945dbeddd3c88229017151e031fb52a9e.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=/run/containers/storage
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=always
TimeoutStopSec=61
ExecStart=/usr/bin/podman start 59ceb04e76fc859f57cee88ac813534945dbeddd3c88229017151e031fb52a9e
ExecStop=/usr/bin/podman stop -t 1 59ceb04e76fc859f57cee88ac813534945dbeddd3c88229017151e031fb52a9e
ExecStopPost=/usr/bin/podman stop -t 1 59ceb04e76fc859f57cee88ac813534945dbeddd3c88229017151e031fb52a9e
PIDFile=/run/containers/storage/overlay-containers/59ceb04e76fc859f57cee88ac813534945dbeddd3c88229017151e031fb52a9e/userdata/conmon.pid
Type=forking
[Install]
WantedBy=multi-user.target default.target
//生成service文件,把nginx容器生成一个文件,指定文件名
[root@localhost ~]# podman generate systemd --files --name nginx
/root/container-nginx.service,查看状态
//把文件移动到systemd
[root@localhost ~]# mv container-nginx.service /usr/lib/systemd/system/
[root@localhost ~]# systemctl status container-nginx
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/usr/lib/systemd/system/container-nginx.serv>
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
//把容器设置开机自启
[root@localhost ~]# systemctl enable --now container-nginx
Created symlink /etc/systemd/system/multi-user.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service.
Created symlink /etc/systemd/system/default.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service.
使用普通用户设置开机自启
//切换到普通用户
[root@localhost ~]# su - tom
上一次登录:二 12月 14 19:08:41 CST 2021pts/2 上
[tom@localhost ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
//创建一个容器
[tom@localhost ~]$ podman run --name web -d nginx
✔ docker.io/library/nginx:latest
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 881ff011f1c9 done
Copying blob 21e0df283cd6 [>------------------] 1.7MiB / 24.2MiB
Copying blob e5ae68f74026 [>------------------] 1.0MiB / 29.9MiB
Copying blob ed835de16acd done
Copying blob 77700c52c969 done
Copying blob 44be98c0fab6 done
[tom@localhost ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
dcc006816f20 docker.io/library/nginx:latest nginx -g daemon o... About a minute ago Up About a minute ago web
//创建一个用户
[tom@localhost ~]$ cd .config/
[tom@localhost .config]$ ls
cni
[tom@localhost .config]$ mkdir systemd/user -p
[tom@localhost .config]$ tree
.
├── cni
│ └── net.d
│ └── 87-podman.conflist
└── systemd
└── user
//生成service文件
[tom@localhost user]$ pwd
/home/tom/.config/systemd/user
[tom@localhost user]$ podman generate systemd --files --name web
/home/tom/.config/systemd/user/container-web.service
//先停掉容器
[tom@localhost user]$ podman stop web
web
[tom@localhost user]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
dcc006816f20 docker.io/library/nginx:latest nginx -g daemon o... 5 minutes ago Exited (0) 5 seconds ago web
//加载
[tom@localhost user]$ systemctl daemon-reload
==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ====
Authentication is required to reload the systemd state.
Authenticating as: root
Password:
==== AUTHENTICATION COMPLETE ====
835
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
