podman
podman的由来
很多人可能遇到过开机重启时,由于Docker守护程序在占用多核CPU使用100%使用的情况,导致所有容器都无法启动,服务都不能用的情况。而且Docker守护进程是以root特权权限启动的,是一个安全问题,那么有什么方法解决呢?(使用podman)
podman介绍
Podman是一个开源项目,可在大多数Linux平台上使用并开源在GitHub上。Podman是一个无守护进程的容器引擎,用于在Linux系统上开发,管理和运行Open Container Initiative(OCI)容器和容器镜像。Podman提供了一个与Docker兼容的命令行前端,它可以简单地作为Docker cli,简单地说你可以直接添加别名:alias docker =podman来使用podman。
Podman控制下的容器可以由root用户运行,也可以由非特权用户运行。Podman管理整个容器的生态系统,其包括pod,容器,容器镜像,和使用libpod library的容器卷。Podman专注于帮助您维护和修改OCI容器镜像的所有命令和功能,例如拉取和标记。它允许您在生产环境中创建,运行和维护从这些映像创建的容器。
podman和docker对比
1.docker 需要在我们的系统上运行一个守护进程(docker daemon),而podman不需要
2.启动容器的方式不同:
docker cli 命令通过API跟 Docker Engine(引擎)交互告诉它我想创建一个container,然后docker Engine才会调用OCI container runtime(runc)来启动一个container。这代表container的process(进程)不会是Docker CLI的child process(子进程),而是Docker Engine的child process。
Podman是直接给OCI containner runtime(runc)进行交互来创建container的,所以container process直接是podman的child process。
3.因为docker有docker daemon,所以docker启动的容器支持–restart策略,但是podman不支持,如果在k8s中就不存在这个问题,我们可以设置pod的重启策略,在系统中我们可以采用编写systemd服务来完成自启动
4.docker需要使用root用户来创建容器,但是podman不需要
podman架构
Podman,Skopeo和Buildah这三个工具都是符合OCI计划下的工具(github/containers)。主要是由RedHat推动的,他们配合可以完成Docker所有的功能,而且不需要守护程序或访问有root权限的组,更加安全可靠,是下一代容器容器工具。
Podman可以替换Docker中的大多数子命令(RUN,PUSH,PULL等)。Podman不需要守护进程,而是使用用户命名空间来模拟容器中的root,无需连接到具有root权限的socket保证容器的体系安全。
Podman专注于维护和修改OCI镜像的所有命令和功能,例如拉取和标记。它还允许我们创建,运行和维护从这些镜像创建的容器。
Podman 只是 OCI 容器生态系统计划中的一部分,主要专注于帮助用户维护和修改符合 OCI 规范的容器镜像。其它的组件还有 Buildah、Skopeo 等。
buildah
Buildah用来构建OCI镜像。虽然Podman也可以用户构建Docker镜像,但是构建速度超慢,并且默认情况下使用vfs存储驱动程序会耗尽大量磁盘空间。 buildah bud(使用Dockerfile构建)则会非常快,并使用overlay存储驱动程序。
Buildah专注于构建OCI镜像。 Buildah的命令复制了Dockerfile中的所有命令。可以使用Dockerfiles构建镜像,并且不需要任何root权限。 Buildah的最终目标是提供更低级别的coreutils界面来构建图像。Buildah也支持非Dockerfiles构建镜像,可以允许将其他脚本语言集成到构建过程中。 Buildah遵循一个简单的fork-exec模型,不以守护进程运行,但它基于golang中的综合API,可以存储到其他工具中。
Buildah 是一个专注于构建 OCI 容器镜像的工具,Buildah 构建速度非常快并使用覆盖存储驱动程序,可以节约大量的空间。
Buildah 和 Podman 之间的一个主要区别是:Podman 用于运行和管理容器, 允许我们使用熟悉的容器 CLI 命令在生产环境中管理和维护这些镜像和容器,而 Buildah 主用于构建容器。
skopeo
Skopeo是一个工具,允许我们通过推,拉和复制镜像来处理Docker和OC镜像。
Skopeo 是一个镜像管理工具,允许我们通过 Push、Pull和复制镜像来处理Docker 和符合 OCI 规范的镜像。
使用Podman
podman安装
如果你想在rhel系统中玩podman,必须是rhel8.2版本以上。podman版本是1.9.3。老庚建议使用centos stream来玩podman,从centos8.2开始默认情况下,除了最小化安装之外,系统都会默认安装podman。如果你使用rhel8.2以上的版本,那么就直接安装podman就可以了。
在rhel8以上的系统中,默认的appstream中已经集成了podman的软件。所以podman的安装,使用yum -y install podman
就可以直接安装
podman配置镜像加速
#podman的仓库配置文件,使用阿里云镜像加速
[root@localhost ~]# cat /etc/containers/registries.conf
unqualified-search-registries = [“docker.io”]
[[registry]]
prefix = “docker.io”
location = “5ufvppm7.mirror.aliyuncs.com”
[root@localhost ~]# cd /etc/containers/registries.conf.d/
[root@localhost registries.conf.d]# mv shortnames.conf shortnames.conf.bak
[root@localhost ~]# podman pull centos
Completed short name “centos” with unqualified-search registries (origin:
/etc/containers/registries.conf)
Trying to pull docker.io/library/centos:latest…
Getting image source signatures
Copying blob 7a0437f04f83 done
Copying config 300e315adb done
Writing manifest to image destination
Storing signatures
300e315adb2f96afe5f0b2780b87f28ae95231fe3bdd1e16b9ba606307728f55
[root@localhost registries.conf.d]# mv shortnames.conf.bak shortnames.conf
[root@localhost ~]# podman pull centos
Resolved short name “centos” to a recorded short-name alias (origin:
/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull registry.centos.org/centos:latest…
Getting image source signatures
Copying blob 926a85fb4806 done
Copying config 2f3766df23 done
Writing manifest to image destination
Storing signatures
2f3766df23b6b238987b29a0cec50a9974f97948ea2e6569035d374289ca2da2
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.centos.org/centos latest 2f3766df23b6 2 months ago 217 MB
docker.io/library/centos latest 300e315adb2f 2 months ago 217 MB
[root@localhost ~]# podman pull ubuntu
Completed short name “ubuntu” with unqualified-search registries (origin:
/etc/containers/registries.conf)
Trying to pull docker.io/library/ubuntu:latest…
Getting image source signatures
Copying blob da7391352a9b done
Copying blob 14428a6d4bcd done
Copying blob 2c2d948710f2 done
Copying config f643c72bc2 done
Writing manifest to image destination
Storing signatures
f643c72bc25212974c16f3348b3a898b1ec1eb13ec1539e10a103e6e217eb2f1
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.centos.org/centos latest 2f3766df23b6 2 months ago 217 MB
docker.io/library/centos latest 300e315adb2f 2 months ago 217 MB
docker.io/library/ubuntu latest f643c72bc252 2 months ago 75.3 MB
podman镜像管理
podman配置代理拉取镜像
1.将socks5的代理转换成http的代理
[root@localhost ~]# yum -y install epel-release
[root@localhost ~]# yum -y install privoxy
[root@localhost ~]# vim /etc/privoxy/config
[root@localhost ~]# egrep '^listen-address' /etc/privoxy/config -A 1
listen-address 0.0.0.0:8118
forward-socks5t / 192.168.199.11:10808 .
[root@localhost ~]# systemctl enable privoxy --now
[root@localhost ~]# netstat -tunlp | grep 8118
[root@localhost ~]# podman pull gcr.io/google-containers/ubuntu:14.04
[root@localhost ~]# export https_proxy='10.163.1.110:8118'
[root@localhost ~]# podman pull gcr.io/google-containers/ubuntu:14.04
[root@localhost ~]# podman images
[root@localhost ~]# podman image rm gcr.io/google-containers/ubuntu:14.04
podman镜像管理
1.镜像拉取
[root@localhost ~]# podman pull httpd
2.镜像查看
[root@localhost ~]# podman images
3.镜像删除
[root@localhost ~]# podman image rm docker.io/library/ubuntu
[root@localhost ~]# podman images
[root@localhost ~]# podman image rm registry.centos.org/centos:latest
[root@localhost ~]# podman image rm centos
[root@localhost ~]# podman images
4.镜像备份
[root@localhost ~]# podman images
[root@localhost ~]# podman save > httpd-latest.tar docker.io/library/httpd:latest
[root@localhost ~]# ls -lh httpd-latest.tar
5.镜像导入
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@localhost ~]# podman load -i httpd-latest.tar
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest 683a7aad17d3 5 weeks ago 142 MB
6.小技巧
#临时做别名
[root@localhost ~]# alias docker='podman'
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest 683a7aad17d3 5 weeks ago 142 MB
#在当前用户的自定义环境变量配置文件中设置的命令别名
[root@localhost ~]# cat .bashrc
.bashrc
alias docker=‘podman’
User specific aliases and functions
alias rm=‘rm -i’
alias cp=‘cp -i’
alias mv=‘mv -i’
Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
7.podman镜像搜索
[root@localhost ~]# podman search nginx
[root@localhost ~]# podman pull nginx
[root@localhost ~]# podman images
podman容器管理
1.运行容器
[root@localhost ~]# podman run -dt --name web1 httpd
5dea24e6447af2c37dacdc43028b3792498bde2ba112f23700112df5e0919949
[root@localhost ~]# podman ps
[root@localhost ~]# podman exec -it web1 bash
root@5dea24e6447a:/usr/local/apache2# exit
exit
[root@localhost ~]#
2.停止容器
[root@localhost ~]# podman container stop web1
5dea24e6447af2c37dacdc43028b3792498bde2ba112f23700112df5e0919949
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
5dea24e6447a docker.io/library/httpd:latest httpd-foreground About a minute ago
Exited (0) 4 seconds ago web1
3.启动容器
[root@localhost ~]# podman start web1
web1
[root@localhost ~]# podman ps
4.重启容器
[root@localhost ~]# podman restart web1
[root@localhost ~]# podman ps
5.删除容器
[root@localhost ~]# podman rm web1
[root@localhost ~]# podman stop web1
5dea24e6447af2c37dacdc43028b3792498bde2ba112f23700112df5e0919949
[root@localhost ~]# podman rm web1
5dea24e6447af2c37dacdc43028b3792498bde2ba112f23700112df5e0919949
#podman rm -f container 强行删除容器
6.查看容器的详细信息
[root@localhost ~]# podman run -dt --name web1 httpd
23a3e9fdd2d36a0828355d47514efdd598421e1f4316873e8ce2e2a2bb4f3a74
[root@localhost ~]# podman inspect web1
podman网络管理
#容器网络的创建
podman-network-create(1)
[root@localhost ~]# nmcli device status
[root@localhost ~]# nmcli con show
[root@localhost ~]# podman network create
/etc/cni/net.d/cni-podman1.conflist
[root@localhost ~]# podman network ls
[root@localhost ~]# nmcli con show
[root@localhost ~]# ip a show
[root@localhost ~]# podman run -dt --name web2 --network cni-podman1 httpd
747b947315ac9965efa0ea83a3fccf1b5f0b0b2688a5982ca0940e5b26e01e47
[root@localhost ~]# ip a show
[root@localhost ~]# nmcli con show
[root@localhost ~]# bridge link
[root@localhost net.d]# pwd
/etc/cni/net.d
[root@localhost net.d]# ls cni-podman1.conflist
cni-podman1.conflist
[root@localhost ~]# podman network create --subnet 192.5.0.0/16 newnet
/etc/cni/net.d/newnet.conflist
[root@localhost ~]# cat /etc/cni/net.d/newnet.conflist
{
“cniVersion”: “0.4.0”,
“name”: “newnet”,
“plugins”: [
{
“type”: “bridge”,
“bridge”: “cni-podman2”,
“isGateway”: true,
“ipMasq”: true,
“hairpinMode”: true,
“ipam”: {
“type”: “host-local”,
“routes”: [
{
“dst”: “0.0.0.0/0”
}
],
“ranges”: [
[
{
“subnet”: “192.5.0.0/16”,
“gateway”: “192.5.0.1”
}
]
]
}
},
{
“type”: “portmap”,
“capabilities”: {
“portMappings”: true
}
},
{
“type”: “firewall”,
“backend”: “”
},
{
“type”: “tuning”}
]
}
[root@localhost ~]# podman network create --subnet 2001:db8::/64 --ipv6 newnetv6
/etc/cni/net.d/newnetv6.conflist
[root@localhost ~]# podman run -dt --name web4 --network newnetv6 httpd
a73f68aa17c6b9369cecf48122f6584abaa00a347694f2d3c0dab11b3fb1d6b1
[root@localhost ~]# podman rm -f podman ps -q
ERRO[0002] unable to cleanup network for container
a73f68aa17c6b9369cecf48122f6584abaa00a347694f2d3c0dab11b3fb1d6b1: "error tearing down
CNI namespace configuration for container
a73f68aa17c6b9369cecf48122f6584abaa00a347694f2d3c0dab11b3fb1d6b1: Error while removing
pod from CNI network “newnetv6”: running [/usr/sbin/ip6tables -t nat -D POSTROUTING -
s 2001:db8::2/64 -j CNI-2add30b36eb22fbc85c8cc97 -m comment --comment name:
“newnetv6” id: “a73f68aa17c6b9369cecf48122f6584abaa00a347694f2d3c0dab11b3fb1d6b1” -
- wait]: exit status 1: iptables: Bad rule (does a matching rule exist in that
chain?).\n"
a73f68aa17c6b9369cecf48122f6584abaa00a347694f2d3c0dab11b3fb1d6b1
23a3e9fdd2d36a0828355d47514efdd598421e1f4316873e8ce2e2a2bb4f3a74
747b947315ac9965efa0ea83a3fccf1b5f0b0b2688a5982ca0940e5b26e01e47
7daf29b3bd540ffcd91412c3af3aa37dd1a2f7814f49763a35a6a75adcbfbbc5
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
#容器网络的删除
[root@localhost ~]# podman network ls
NAME VERSION PLUGINS
cni-podman1 0.4.0 bridge,portmap,firewall,tuning
newnet 0.4.0 bridge,portmap,firewall,tuning
newnetv6 0.4.0 bridge,portmap,firewall,tuning
podman 0.4.0 bridge,portmap,firewall,tuning
[root@localhost ~]# podman network rm newnet
newnet
[root@localhost ~]# podman network rm newnetv6
newnetv6
[root@localhost ~]# podman network rm cni-podman1
cni-podman1
[root@localhost ~]# podman network rm podman
podman
[root@localhost ~]# podman network ls
NAME VERSION PLUGINS
[root@localhost ~]# podman run -dt --name web1 httpd
ERRO[0000] CNI network “podman” not found
Error: error configuring network namespace for container
ad9aafab0a0462bb2e5dfc870b8ad7cc9ffe3290c2fef09b8388387fe29c8c07: CNI network “podman”
not found
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS
PORTS NAMES
ad9aafab0a04 docker.io/library/httpd:latest httpd-foreground 4 seconds ago Created
web1
[root@localhost ~]# podman network create podman
/etc/cni/net.d/podman.conflist
[root@localhost ~]# podman rm web1
ad9aafab0a0462bb2e5dfc870b8ad7cc9ffe3290c2fef09b8388387fe29c8c07
[root@localhost ~]# podman run -dt --name web1 httpd
00a187af94588f9788db3a916a37bc2bc6ecfc2b693ee45346719d530720ea70
[root@localhost ~]# podman run -dt --name web2 -p 12345:80 httpd
fe11a9816511e4cf1eeb22a217658d438c9c3adbf147c2e4efcbefe821f31d72
[root@localhost ~]# podman ps -a
podman持久化存储
[root@localhost ~]# podman volume ls
[root@localhost ~]# podman volume create
4d42640d8913776aec5cfbcd94e4e000838dbb680ce99fb3aa41d5a026d82144
[root@localhost ~]# podman volume ls
[root@localhost ~]# podman volume create volume1
volume1
[root@localhost ~]# podman volume ls
DRIVER VOLUME NAME
local 4d42640d8913776aec5cfbcd94e4e000838dbb680ce99fb3aa41d5a026d82144
local volume1
[root@localhost ~]# find / -name volume1
/var/lib/containers/storage/volumes/volume1
[root@localhost ~]# ls /var/lib/containers/storage/volumes/volume1/
_data
[root@localhost ~]# podman volume create web
web
[root@localhost ~]# ls /var/lib/containers/storage/volumes/web/
_data
[root@localhost ~]# podman run -dt --name centos1 -v web:/web centos
80e39049e02bd8591ed6b01009b4398b5fe7d3032dfb84bca6eb6bb012c227d3
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS
PORTS NAMES
80e39049e02b docker.io/library/centos:latest /bin/bash 5 seconds ago Up 5 seconds
ago centos1
[root@localhost ~]# podman exec -i centos1 df -Th
[root@localhost ~]# podman volume inspect web
[
{
“Name”: “web”,
“Driver”: “local”,
“Mountpoint”: “/var/lib/containers/storage/volumes/web/_data”,
“CreatedAt”: “2021-02-18T21:35:51.743779089+08:00”,
“Labels”: {},
“Scope”: “local”,
“Options”: {}
}
]
[root@localhost ~]# podman inspect centos1 | grep web
“Name”: “web”,
“Source”: “/var/lib/containers/storage/volumes/web/_data”,
“Destination”: “/web”,
“web:/web”,
“web:/web:rw,rprivate,nosuid,nodev,rbind”
[root@localhost ~]# podman run -dt --name web1 -v web:/usr/local/apache2/htdocs httpd
652b3589f1d4a04b66ed952724c79269cd44fe68054d10174ec2059e22aafad1
[root@localhost ~]# podman exec -i web1 df -Th
[root@localhost ~]# echo "glshs" >>
/var/lib/containers/storage/volumes/web/_data/index.html
[root@localhost ~]# podman exec -i web1 ls /usr/local/apache2/htdocs
index.html
[root@localhost ~]# podman exec -i web1 cat /usr/local/apache2/htdocs/index.html
glshs
[root@localhost ~]# podman inspect web1 | grep 10.88
“Gateway”: “10.88.2.1”,“IPAddress”: “10.88.2.4”,
“Gateway”: “10.88.2.1”,
“IPAddress”: “10.88.2.4”,
[root@localhost ~]# podman exec -i centos1 curl 10.88.2.4
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6 100 6 0 0 3000 0 --:–:-- --:–:-- --:–:-- 6000
glshs
[root@localhost ~]# mkdir /web2
[root@localhost ~]# echo "glshh" >> /web2/index.html
[root@localhost ~]# podman run -dt --name web2 -v /web2:/usr/local/apache2/htdocs httpd
e6e55b02d5465a48c45b8def0e19078528f5e3c2969246344233c04f1f33e76f
[root@localhost ~]# podman run -dt --name web2 -v /web2:/usr/local/apache2/htdocs httpd
e6e55b02d5465a48c45b8def0e19078528f5e3c2969246344233c04f1f33e76f
[root@localhost ~]# podman inspect web2 | grep 10.88
“Gateway”: “10.88.2.1”,
“IPAddress”: “10.88.2.5”,
“Gateway”: “10.88.2.1”,
“IPAddress”: “10.88.2.5”,
[root@localhost ~]# podman exec -i centos1 curl 10.88.2.5
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive
[root@localhost ~]# podman exec -i centos1 curl 10.88.2.5
[root@localhost ~]# ls -ldZ /web2/
drwxr-xr-x. 2 root root unconfined_u:object_r:default_t:s0 24 Feb 18 21:42 /web2/
[root@localhost ~]# ls -ldZ /var/lib/containers/storage/volumes/web/
drwx------. 3 root root unconfined_u:object_r:container_var_lib_t:s0 19 Feb 18 21:35
/var/lib/containers/storage/volumes/web/
[root@localhost ~]# setenforce 1
[root@localhost ~]# podman run -dt --name web3 -p 22222:80 -v
/web2:/usr/local/apache2/htdocs:Z httpd
bc73808f5eca658e89caccca66668872004f126537638435ca41899cc4468ada
[root@localhost ~]# curl localhost:22222
glshh
[root@localhost ~]#
[root@localhost ~]# podman run -dt --name web4 -p 22221:80 -v
/web2:/usr/local/apache2/htdocs httpd
dd36d517c38a2c1062c08c058de917bf1455b673fb11aa7ead2b93e0acab5959
[root@localhost ~]# curl localhost:22221
podman容器自启动
[root@localhost ~]# podman run -dt --name web1 httpd
28bc998edf269580f8a24c1a53967bec30ea56e800a8316da6f54f62490756fc
[root@localhost ~]# podman ps -a
[root@localhost ~]# reboot
Connection to 10.163.1.110 closed by remote host.
Connection to 10.163.1.110 closed.
[root@eveng-home ~]# ssh 10.163.1.110
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS
PORTS NAMES
28bc998edf26 docker.io/library/httpd:latest httpd-foreground 41 seconds ago Exited
(0) 35 seconds ago web1
[root@localhost ~]# ps aux | grep podman
[root@localhost ~]# podman start web1
web1
[root@localhost ~]# ps aux | grep podman
#–name表示使用容器的名字来代替容器的ID
#–files表示生成systemd的服务文件
#web1表示使用哪个容器生成systemd的服务文件
[root@localhost ~]# podman generate systemd --files --name web1
/root/container-web1.service
[root@localhost ~]# cat container-web1.service
container-web1.service
#autogenerated by Podman 3.0.0-dev
Thu Feb 18 23:44:48 CST 2021
[Unit]
Description=Podman container-web1.service
Documentation=man:podman-generate-systemd(1)
Wants=network.target
After=network-online.target
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman start web1
ExecStop=/usr/bin/podman stop -t 10 web1
ExecStopPost=/usr/bin/podman stop -t 10 web1
PIDFile=/run/containers/storage/overlay
containers/28bc998edf269580f8a24c1a53967bec30ea56e800a8316da6f54f62490756fc/userdata/co
nmon.pid
Type=forking
[Install]
WantedBy=multi-user.target default.target
[root@localhost ~]# mv container-web1.service /etc/systemd/system/
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# restorecon -RvF /etc/systemd/system/container-web1.service
[root@localhost ~]# systemctl enable container-web1.service --now
[root@localhost ~]# systemctl status container-web1.service
[root@localhost ~]# podman ps -a
[root@localhost ~]# systemctl restart container-web1.service
[root@localhost ~]# podman ps -a
[root@localhost ~]# systemctl stop container-web1.service
[root@localhost ~]# podman ps -a
[root@localhost ~]# systemctl start container-web1.service
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS
PORTS NAMES
28bc998edf26 docker.io/library/httpd:latest httpd-foreground 18 minutes ago Up 2
seconds ago web1[root@localhost ~]# reboot
[root@eveng-home ~]# ssh 10.163.1.110
root@10.163.1.110’s password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Thu Feb 18 23:34:27 2021 from 10.163.1.200
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS
PORTS NAMES
28bc998edf26 docker.io/library/httpd:latest httpd-foreground 19 minutes ago Up 2
seconds ago web1
[root@localhost ~]# podman run -dt --name web2 -p 43211:80 -v
/web2:/usr/local/apache2/htdocs:Z httpd
16a5b030b61b726cfe2c6b63371bcf22a7ebb9b683c11d73bbd364cb48e28d5d
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS
PORTS NAMES
28bc998edf26 docker.io/library/httpd:latest httpd-foreground 21 minutes ago Up 2
minutes ago web1
16a5b030b61b docker.io/library/httpd:latest httpd-foreground 4 seconds ago Up 3
seconds ago 0.0.0.0:43211->80/tcp web2
[root@localhost ~]# curl localhost:43211
glshh
[root@localhost ~]# podman generate systemd --files --name web2
/root/container-web2.service
[root@localhost ~]# ls
anaconda-ks.cfg container-web2.service httpd-latest.tar
[root@localhost ~]# mv container-web2.service /etc/systemd/system/
[root@localhost ~]# restorecon -RvF /etc/systemd/system/container-web2.service
Relabeled /etc/systemd/system/container-web2.service from
unconfined_u:object_r:admin_home_t:s0 to system_u:object_r:systemd_unit_file_t:s0
[root@localhost ~]# systemctl enable container-web2.service --now
Created symlink /etc/systemd/system/multi-user.target.wants/container-web2.service →
/etc/systemd/system/container-web2.service.
Created symlink /etc/systemd/system/default.target.wants/container-web2.service →
/etc/systemd/system/container-web2.service.
[root@localhost ~]# reboot
Connection to 10.163.1.110 closed by remote host.
Connection to 10.163.1.110 closed.
[root@eveng-home ~]#
[root@eveng-home ~]# ssh 10.163.1.110
root@10.163.1.110’s password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Thu Feb 18 23:53:06 2021 from 10.163.1.200
[root@localhost ~]# podman ps -a
[root@localhost ~]# curl localhost:43211
glshh
[root@localhost ~]# systemctl disable container-web1.service container-web2.service --now
Removed /etc/systemd/system/multi-user.target.wants/container-web1.service.
Removed /etc/systemd/system/multi-user.target.wants/container-web2.service.
Removed /etc/systemd/system/default.target.wants/container-web1.service.
Removed /etc/systemd/system/default.target.wants/container-web2.service.
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS
PORTS NAMES
28bc998edf26 docker.io/library/httpd:latest httpd-foreground 25 minutes ago Exited
(0) 4 seconds ago web1
16a5b030b61b docker.io/library/httpd:latest httpd-foreground 3 minutes ago Exited
(0) 4 seconds ago 0.0.0.0:43211->80/tcp web2
#第二种podman容器自启动方法
[root@localhost ~]# podman generate systemd --files --new --name web1
/root/container-web1.service
[root@localhost ~]# podman generate systemd --files --new --name web2
/root/container-web2.service
[root@localhost ~]# cat container-web1.service
[root@localhost ~]# cat container-web1.service
container-web1.service
autogenerated by Podman 3.0.0-dev
Thu Feb 18 23:59:55 CST 2021
[Unit]
Description=Podman container-web1.service
Documentation=man:podman-generate-systemd(1)
Wants=network.target
After=network-online.target
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/container-web1.pid %t/container-web1.ctr-id
ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-web1.pid --cidfile
%t/container-web1.ctr-id --cgroups=no-conmon --replace -dt --name web1 httpd
ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-web1.ctr-id -t 10
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-web1.ctr-id
PIDFile=%t/container-web1.pid
Type=forking[Install]
WantedBy=multi-user.target default.target
[root@localhost ~]# cat container-web2.service
#container-web2.service
#autogenerated by Podman 3.0.0-dev
#Thu Feb 18 23:59:58 CST 2021
[Unit]
Description=Podman container-web2.service
Documentation=man:podman-generate-systemd(1)
Wants=network.target
After=network-online.target
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/container-web2.pid %t/container-web2.ctr-id
ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-web2.pid --cidfile
%t/container-web2.ctr-id --cgroups=no-conmon --replace -dt --name web2 -p 43211:80 -v
/web2:/usr/local/apache2/htdocs:Z httpd
ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-web2.ctr-id -t 10
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-web2.ctr-id
PIDFile=%t/container-web2.pid
Type=forking
[Install]
WantedBy=multi-user.target default.target
[root@localhost ~]# mv container-web* /etc/systemd/system/
mv: overwrite ‘/etc/systemd/system/container-web1.service’? y
mv: overwrite ‘/etc/systemd/system/container-web2.service’? y
[root@localhost ~]# restorecon -RvF /etc/systemd/system/container-web*
Relabeled /etc/systemd/system/container-web1.service from
unconfined_u:object_r:admin_home_t:s0 to system_u:object_r:systemd_unit_file_t:s0
Relabeled /etc/systemd/system/container-web2.service from
unconfined_u:object_r:admin_home_t:s0 to system_u:object_r:systemd_unit_file_t:s0
[root@localhost ~]# systemctl enable container-web1.service container-web2.service --now
Created symlink /etc/systemd/system/multi-user.target.wants/container-web1.service →
/etc/systemd/system/container-web1.service.
Created symlink /etc/systemd/system/default.target.wants/container-web1.service →
/etc/systemd/system/container-web1.service.
Created symlink /etc/systemd/system/multi-user.target.wants/container-web2.service →
/etc/systemd/system/container-web2.service.
Created symlink /etc/systemd/system/default.target.wants/container-web2.service →
/etc/systemd/system/container-web2.service.
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS
PORTS NAMES
e3b889f8ca01 docker.io/library/httpd:latest httpd-foreground 6 seconds ago Up 5
seconds ago 0.0.0.0:43211->80/tcp web2
302bb89bb9b4 docker.io/library/httpd:latest httpd-foreground 5 seconds ago Up 5
seconds ago web1
[root@localhost ~]# systemctl stop container-web1.service container-web2.service
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]#
[root@localhost ~]# systemctl start container-web1.service container-web2.service
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS
PORTS NAMES
afe25b3d5dee docker.io/library/httpd:latest httpd-foreground 3 seconds ago Up 3
seconds ago 0.0.0.0:43211->80/tcp web2
df0b78734240 docker.io/library/httpd:latest httpd-foreground 3 seconds ago Up 3
seconds ago web1
[root@localhost ~]# reboot
Connection to 10.163.1.110 closed by remote host.
Connection to 10.163.1.110 closed.
[root@eveng-home ~]# ssh 10.163.1.110
root@10.163.1.110’s password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Thu Feb 18 23:58:11 2021 from 10.163.1.200
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS
PORTS NAMES
6c2a116446e2 docker.io/library/httpd:latest httpd-foreground 2 seconds ago Up 1
second ago 0.0.0.0:43211->80/tcp web2
da4316cac119 docker.io/library/httpd:latest httpd-foreground 2 seconds ago Up 1
second ago web1
非根用户使用podman容器
podman如果要使用普通用户来管理容器,那么这个普通用户必须是ssh登陆或者通过终端登陆才行。否则会有问题。
[root@localhost ~]# useradd gls
[root@localhost ~]# echo 1 | passwd --stdin gls
Changing password for user gls.
passwd: all authentication tokens updated successfully.
[root@localhost ~]# ssh gls@localhost
gls@localhost’s password:
Activate the web console with: systemctl enable --now cockpit.socket
#root用户的images,普通用户是看不到的。所以普通用户需要自己拉image
[gls@localhost ~]$ podman pull httpd
[gls@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest 683a7aad17d3 5 weeks ago 142 MB
podman-3.0.0-0.33rc2.module_el8.4.0+673+eabfc99d.x86_64版本有问题
bug url
https://bugzilla.redhat.com/show_bug.cgi?id=1923986
podman-3.0.0-0.21.module_el8.4.0+641+6116a774.x86_64这个版本没有问题
[gls@localhost ~]$ podman run -dt --name glsweb1 -p 54321:80 -v
/home/gls/glsweb1:/usr/local/apache2/htdocs:Z httpd
72c14b6be75f7e3065ebe6da1ea907336a97b97ad3b17099fce294e710bbd8b0
[gls@localhost ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS
PORTS NAMES
72c14b6be75f docker.io/library/httpd:latest httpd-foreground 8 minutes ago Up 8
minutes ago 0.0.0.0:54321->80/tcp glsweb1
[gls@localhost ~]$ curl localhost:54321
“-//W3C//DTD HTML 3.2 Final//EN”>
[gls@localhost ~]$ ls
glsweb1
[gls@localhost ~]$ cd glsweb1/
[gls@localhost glsweb1]$ ls
[gls@localhost glsweb1]$ cd
[gls@localhost ~]$ echo "glshq" >> glsweb1/index.html
[gls@localhost ~]$ curl localhost:54321
glshq
#非根用户使用systemd接管podman容器
#创建~/.config/systemd/user目录来存放普通用户的systemd文件
[gls@localhost ~]$ mkdir ~/.config/systemd/user -p
#生成systemd服务文件
[gls@localhost ~]$ podman generate systemd --new --files --name glsweb1
/home/gls/container-glsweb1.service
#将服务文件移动到普通用户的systemd的目录文件
[gls@localhost ~]$ mv container-glsweb1.service ~/.config/systemd/user/
#恢复SELinux文件的安全上下文
[gls@localhost ~]$ restorecon -RvF ~/.config/systemd/user/container-glsweb1.service
Relabeled /home/gls/.config/systemd/user/container-glsweb1.service from
unconfined_u:object_r:user_home_t:s0 to unconfined_u:object_r:systemd_unit_file_t:s0
#赋予普通用户的systemd管理权限
[gls@localhost ~]$ loginctl enable-linger
[gls@localhost ~]$ systemctl --user daemon-reload
[gls@localhost ~]$ ls ~/.config/systemd/user/
container-glsweb1.service
[gls@localhost ~]$ systemctl --user enable container-glsweb1.service --now
Created symlink /home/gls/.config/systemd/user/multi-user.target.wants/container
glsweb1.service → /home/gls/.config/systemd/user/container-glsweb1.service.
Created symlink /home/gls/.config/systemd/user/default.target.wants/container
glsweb1.service → /home/gls/.config/systemd/user/container-glsweb1.service.
[root@localhost ~]# reboot
Connection to 10.163.1.100 closed by remote host.
Connection to 10.163.1.100 closed.
[root@eveng-home ~]# ssh gls@10.163.1.100
gls@10.163.1.100’s password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Fri Feb 19 00:45:55 2021 from ::1
[gls@localhost ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS
PORTS NAMES
72e06d2a9e57 docker.io/library/httpd:latest httpd-foreground 7 seconds ago Up 7
seconds ago 0.0.0.0:54321->80/tcp glsweb1
[gls@localhost ~]$ curl localhost:54321
glshq