在无根环境中的基本设置
1.安装crun,并修改配置文件
[root@loaclhost ~]# dnf -y install crun
//修改配置文件
[root@loaclhost ~]# vim /usr/share/containers/containers.conf
Default OCI runtime
runtime = "crun" //将此行取消注释,改为crun
//创建一个容器用nginx镜像
[root@loaclhost ~]# podman run -d --name web -p 8080:8080 docker.io/library/nginx
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob baf2da91597d done
Copying blob 6a17c8e7063d done
Copying blob b1349eea8fc5 done
Copying blob 27e0d286aeab done
Copying blob 1efc276f4ff9 done
Copying blob 05396a986fd3 done
Copying config b692a91e4e done
Writing manifest to image destination
Storing signatures
979f34cf81e9a5d18f2a1504aebc944d94e001ed32a0ae6fb3317b7047da87cf
[root@loaclhost ~]# podman inspect web |grep crun
"OCIRuntime": "crun",
"crun",
//安装slirp4netns和fuse-overlayfs
[root@loaclhost ~]# dnf -y install slirp4netns
root@loaclhost ~]# dnf -y install fuse-overlayfs
//修改配置文件
[root@loaclhost ~]# vim /etc/containers/storage.conf
mount_program = "/usr/bin/fuse-overlayfs" //将此行取消注释
/安装shadow-utils
[root@loaclhost ~]# dnf -y install shadow-utils
//创建一个用户,查看他的subuid和subgid
[root@loaclhost ~]# useradd hh
[root@loaclhost ~]# cat /etc/subuid
hh:100000:65536
[root@loaclhost ~]# cat /etc/subgid
hh:100000:65536
//启用非特权ping
[root@loaclhost ~]# vim /etc/sysctl.conf
net.ipv4.ping_group_range=0 300000 //只让0-200000范围内的用户id使用podman
//用户配置文件
三个主要的配置文件是container.conf、storage.conf和registries.conf。用户可以根据需要修改这些文件。
//设置无根用户数量
[root@localhost ~]# vim /etc/sysctl.conf
user.max_user_namespaces=15000 //一般不用设置
container.conf
// 用户配置文件
[root@localhost ~]# cat /usr/share/containers/containers.conf
[root@localhost ~]# cat /etc/containers/containers.conf
[root@localhost ~]# cat ~/.config/containers/containers.conf //优先级最高
//配置storage.conf文件
1./etc/containers/storage.conf
2.$HOME/.config/containers/storage.conf
//在普通用户中/etc/containers/storage.conf的一些字段将被忽略
# Default Storage Driver, Must be set for proper operation.
driver = "overlay" #此处改为overlay
.......
mount_program = "/usr/bin/fuse-overlayfs" #取消注释
//在普通用户中这些字段默认
graphroot="$HOME/.local/share/containers/storage"
runroot="$XDG_RUNTIME_DIR/containers"
//registries.conf配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改。
1./etc/containers/registries.conf
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf
//Authorization files 授权文件
podman login和podman logout命令使用的默认授权文件位于${XDG_RUNTIME_DIR}/containers/auth.json.
[root@loaclhost ~]# podman login
Username: 15072814090
Password:
Login Succeeded!
[root@loaclhost ~]# cat /run/user/0/containers/auth.json //查看授权文件,里面包含了docker的账号和密码,但是加密了
{
"auths": {
"docker.io": {
"auth": "MTUwNzI4MTQwOTA6aHdmMTAwOC4uLg=="
}
}
}
//root用户的镜像
[root@loaclhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest b692a91e4e15 2 weeks ago 146 MB
docker.io/library/busybox v0.1 7a80323521cc 2 weeks ago 1.47 MB
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
localhost:5000/alpine latest c059bfaa849c 8 months ago 5.87 MB
docker.io/library/registry latest b8604a3fe854 9 months ago 26.8 MB
quay.io/centos/centos latest 300e315adb2f 20 months ago 217 MB
//普通用户的镜像,普通用户是看不到root用户的镜像的
[hh@loaclhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest beae173ccac6 7 months ago 464 MB //这是普通用户自己拉取的镜像
2.卷管理
- 容器与root用户一起运行,则root容器中的用户实际上就是主机上的用户。
- UID GID是在/etc/subuid和/etc/subgid等中用户映射中指定的第一个UID GID。
- 如果普通用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则会看到它实际上是你的用户在主机上拥有的。
//在hh用户上创建一个挂载卷的目录
[hh@loaclhost ~]$ mkdir data
[hh@loaclhost ~]$ podman run -it --name web1 -v /home/hh/data:/data:Z busybox /bin/sh
/ # ls
bin data dev etc home proc root run sys tmp usr var
/data # touch 123 1 2
/data # ls
1 123 2
[hh@loaclhost ~]$ ls /home/hh/data/ //挂碍成功
1 123 2
//在主机往文件些内,容器也同步成功
[hh@loaclhost ~]$ echo "hwfhwf" > /home/hh/data/1
/data # cat 1
hwfhwf
//我们可以发现在容器里面的文件的属主和属组都属于root,只要在运行容器的时候加上一个--userns=keep-id即可。
/data # ls -l
total 4
-rw-r--r-- 1 root root 7 Aug 16 11:23 1
-rw-r--r-- 1 root root 0 Aug 16 11:20 123
-rw-r--r-- 1 root root 0 Aug 16 11:20 2
[hh@loaclhost ~]$ podman run -it --name web2 -v /home/hh/data:/data --userns=keep-id busybox /bin/sh
~ $ ls
bin data dev etc home proc root run sys tmp usr var
~ $ cd data
/data $ ls -l
total 4
-rw-r--r-- 1 hh hh 7 Aug 16 11:29 1
-rw-r--r-- 1 hh hh 0 Aug 16 11:20 123
-rw-r--r-- 1 hh hh 0 Aug 16 11:20 2
3.无根用户映射端口
//使用普通用户映射容器端口时会报“ permission denied”的错误 //无根用户只能映射>=1024端口的
[root@loaclhost ~]# vim /etc/sysctl.conf
net.ipv4.ip_unprivileged_port_start=80 //配置后就可以映射大于80的端口
[root@loaclhost ~]# sysctl -p
net.ipv4.ping_group_range = 0 300000
net.ipv4.ip_unprivileged_port_start = 80
[hh@loaclhost ~]$ podman run -it --name hhh -p 82:82 busybox /bin/sh //创建成功
/ #
[hh@loaclhost ~]$ ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:82 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:80 *:*
4.创建网桥
[hh@loaclhost ~]$ podman network create
/home/hh/.config/cni/net.d/cni-podman1.conflist
[hh@loaclhost ~]$ podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning //podman是默认网桥
b932778640d3 cni-podman1 0.4.0 bridge,portmap,firewall,tuning
5.运行容器加入网络名称空间
//创建一个容器加入网络名称空间
[hh@loaclhost ~]$ podman run -itd --name fwh --network cni-podman1 busybox /bin/sh
a5a512b3927bd34509e3fc5b94804c82183040deb4dcaa85ea8345776a0f0ba1
[hh@loaclhost ~]$ podman inspect -l |grep -i address /可以看到他的ip
"IPAddress": "",
"GlobalIPv6Address": "",
"MacAddress": "",
"LinkLocalIPv6Address": "",
"IPAddress": "10.89.0.2",
"GlobalIPv6Address": "",
"MacAddress": "82:d0:e7:ea:33:48",
[hh@loaclhost ~]$ podman exec -it -l /bin/sh //也可以ping同百度
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 82:d0:e7:ea:33:48 brd ff:ff:ff:ff:ff:ff
inet 10.89.0.2/24 brd 10.89.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::80d0:e7ff:feea:3348/64 scope link
valid_lft forever preferred_lft forever
/ # ping baidu.com
PING baidu.com (110.242.68.66): 56 data bytes
64 bytes from 110.242.68.66: seq=0 ttl=254 time=114.155 ms
64 bytes from 110.242.68.66: seq=1 ttl=254 time=69.601 ms
^C
--- baidu.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 69.601/91.878/114.155 ms
//无根用户没有ip也可以ping通百度
[hh@loaclhost ~]$ podman run -itd --name hwf busybox
d781b049e908a88f6828beaa0ddcc28f394afd28dbb78ac6f2d04794db5b5369
[hh@loaclhost ~]$ podman inspect -l |grep -i address
"IPAddress": "",
"GlobalIPv6Address": "",
"MacAddress": "",
"LinkLocalIPv6Address": "",
[hh@loaclhost ~]$ podman exec -it -l /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel qlen 1000
link/ether 7a:80:3d:4c:e5:c8 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0
valid_lft forever preferred_lft forever
inet6 fe80::7880:3dff:fe4c:e5c8/64 scope link
valid_lft forever preferred_lft forever
/ # ping www.baidu.com
PING www.baidu.com (182.61.200.7): 56 data bytes
64 bytes from 182.61.200.7: seq=0 ttl=255 time=40.141 ms
^C
--- www.baidu.com ping statistics ---
2 packets transmitted, 1 packets received, 50% packet loss
round-trip min/avg/max = 40.141/40.141/40.141 ms