1. 什么是podman?
Podman 是一个无守护进程的容器引擎,用于在 Linux 系统上开发、管理和运行 OCI 容器。容器可以以 root 或无根模式运行。
Podman 是一个开源项目,可在大多数 Linux 平台上使用并驻留在GitHub上。Podman 是一个无守护进程的容器引擎,用于在 Linux 系统上开发、管理和运行 Open Container Initiative (OCI) 容器和容器映像。
Podman 还提供了一个套接字激活的 REST API 服务,以允许远程应用程序启动按需容器。这个 REST API 还支持 Docker API,允许 docker-py 和 docker-compose 的用户与 Podman 作为服务进行交互。
Podman 服务仅运行在 Linux 平台上,但 Podman 远程 REST API 客户端存在于 Mac 和 Windows 平台上,并且可以通过 ssh 与运行在 Linux 机器或 VM 上的 Podman 服务进行通信。
2. podman安装
podman可以在windows、linux、mac等众多平台上安装
podman官网:https://podman.io/
podman 在 CentOS 7 的默认 Extras 存储库中可用,在 CentOS 8 和 Stream 的 AppStream 存储库中可用。
[root@localhost ~]# yum -y install podman
[root@localhost ~]# rpm -qa | grep podman
podman-1.6.4-29.el7_9.x86_64
//可以给podman定义别名
[root@localhost ~]# alias docker=podman
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@localhost ~]#
3. poman 的常用命令
[root@localhost ~]# podman search nginx
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
redhat.com registry.access.redhat.com/ubi8/nginx-120 Platform for running nginx 1.20 or building ... 0
redhat.com registry.access.redhat.com/ubi8/nginx-118 Platform for running nginx 1.18 or building ... 0
redhat.com registry.access.redhat.com/rhscl/nginx-110-rhel7 Nginx container image that delivers an nginx... 0
redhat.com registry.access.redhat.com/rhscl/nginx-16-rhel7 Nginx 1.6 server and a reverse proxy server 0
redhat.com registry.access.redhat.com/rhscl/nginx-18-rhel7 Nginx 1.8 server and a reverse proxy server 0
redhat.com registry.access.redhat.com/rhscl/nginx-112-rhel7 Nginx is a web server and a reverse proxy se... 0
redhat.com registry.access.redhat.com/ubi7/nginx-118 Platform for running nginx 1.18 or building ... 0
redhat.com registry.access.redhat.com/rhscl/nginx-114-rhel7 Nginx is a web server and a reverse proxy se... 0
redhat.com registry.access.redhat.com/3scale-amp23/apicast-gateway 3scale's API gateway (APIcast)
.......省略N行
//使用过滤器增强搜索 (--filter=is-official 过滤官方镜像)
[root@localhost ~]# podman search nginx --filter=is-official
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/nginx Official build of Nginx. 15928 [OK]
[root@localhost ~]#
//下载(拉取)镜像
[root@localhost ~]# podman pull docker.io/library/nginx
Trying to pull docker.io/library/nginx...
Getting image source signatures
Copying blob 881ff011f1c9 done
Copying blob ed835de16acd done
Copying blob 44be98c0fab6 done
Copying blob 21e0df283cd6 done
Copying blob e5ae68f74026 done
Copying blob 77700c52c969 done
Copying config f652ca386e done
Writing manifest to image destination
Storing signatures
f652ca386ed135a4cbe356333e08ef0816f81b2ac8d0619af01e2b256837ed3e
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 12 days ago 146 MB
[root@localhost ~]#
//运行容器
[root@localhost ~]# podman run -d -p 80:80 docker.io/library/nginx:latest
5d3e7331a604bc22679f41474a01f4225d67608a8f3e5046e419dc3137abef78
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5d3e7331a604 docker.io/library/nginx:latest nginx -g daemon o... 6 seconds ago Up 5 seconds ago 0.0.0.0:80->80/tcp nostalgic_ride
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5d3e7331a604 docker.io/library/nginx:latest nginx -g daemon o... 12 seconds ago Up 12 seconds ago 0.0.0.0:80->80/tcp nostalgic_ride
[root@localhost ~]#
//测试容器
[root@localhost ~]# curl 192.168.8.128
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@localhost ~]#
检查正在运行的容器,以查找有关其自身的元数据和详细信息。 将提供许多有用的信息,如环境变量,网络设置或分配的资源。podman inspect
由于容器在root模式下运行,因此会为容器分配 IP 地址
//grep -i ipaddress(忽略大小写)
[root@localhost ~]# podman inspect -l |grep -i ipaddress
"SecondaryIPAddresses": null,
"IPAddress": "10.88.0.2",
[root@localhost ~]#
//查看容器的日志
[root@localhost ~]# podman logs -l
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/12/14 12:44:48 [notice] 1#1: using the "epoll" event method
2021/12/14 12:44:48 [notice] 1#1: nginx/1.21.4
2021/12/14 12:44:48 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
2021/12/14 12:44:48 [notice] 1#1: OS: Linux 3.10.0-862.el7.x86_64
2021/12/14 12:44:48 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/12/14 12:44:48 [notice] 1#1: start worker processes
2021/12/14 12:44:48 [notice] 1#1: start worker process 32
2021/12/14 12:44:48 [notice] 1#1: start worker process 33
2021/12/14 12:44:48 [notice] 1#1: start worker process 34
2021/12/14 12:44:48 [notice] 1#1: start worker process 35
192.168.8.128 - - [14/Dec/2021:12:46:20 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.29.0" "-"
[root@localhost ~]#
//查看容器的 pids
[root@localhost ~]# podman top -l
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 5m56.761146184s ? 0s nginx: master process nginx -g daemon off;
nginx 32 1 0.000 5m56.761232256s ? 0s nginx: worker process
nginx 33 1 0.000 5m56.76128208s ? 0s nginx: worker process
nginx 34 1 0.000 5m56.761322851s ? 0s nginx: worker process
nginx 35 1 0.000 5m56.761372584s ? 0s nginx: worker process
[root@localhost ~]#
//停止容器
[root@localhost ~]# podman stop -l
5d3e7331a604bc22679f41474a01f4225d67608a8f3e5046e419dc3137abef78
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5d3e7331a604 docker.io/library/nginx:latest nginx -g daemon o... 7 minutes ago Exited (0) 17 seconds ago 0.0.0.0:80->80/tcp nostalgic_ride
[root@localhost ~]#
//删除容器
[root@localhost ~]# podman rm -l
5d3e7331a604bc22679f41474a01f4225d67608a8f3e5046e419dc3137abef78
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]#
//镜像修改标签(改名)
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 12 days ago 146 MB
[root@localhost ~]# podman tag docker.io/library/nginx:latest docker.io/pengyudong/nginx:v1.0
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 12 days ago 146 MB
docker.io/pengyudong/nginx v1.0 f652ca386ed1 12 days ago 146 MB
[root@localhost ~]#
4. 普通用户使用podman的方式
在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置
cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,必须切换到备用OCI运行时crun。
[root@localhost ~]# yum -y install crun # centos8系统自带
[root@localhost ~]# vim /usr/share/containers/containers.conf
......
446 # Default OCI runtime
447 #
448 runtime = "crun" # 取消注释并将值改为crun
......
[root@localhost ~]# podman run -d -p 80 docker.io/library/nginx
81462774ef3a27079293143a15b361a9672100e44868ac3d72ec238142ef5f84
[root@localhost ~]# podman inspect -l | grep crun
"OCIRuntime": "crun",
"crun",
[root@localhost ~]# podman run -d -p 80 docker.io/library/nginx
81462774ef3a27079293143a15b361a9672100e44868ac3d72ec238142ef5f84
[root@localhost ~]# podman inspect -l | grep crun
"OCIRuntime": "crun",
"crun",
//slirp4netns
[root@localhost ~]# rpm -qa| grep slirp4netns
slirp4netns-1.1.8-1.module_el8.6.0+926+8bef8ae7.x86_64
在普通用户环境中使用Podman时,建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6。现在新版本默认就是
//安装fuse-overlayfs
[root@localhost ~]# rpm -qa |grep fuse-overlayfs
fuse-overlayfs-1.7.1-1.module_el8.6.0+926+8bef8ae7.x86_64
[root@localhost ~]# vim /etc/containers/storage.conf
......
77 mount_program = "/usr/bin/fuse-overlayfs" # 取消注释
......
/etc/subuid和/etc/subgid配置
Podman要求运行它的用户在/etc/subuid和/etc/subgid文件中列出一系列UID,shadow-utils或newuid包提供这些文件
//centos 8 自带的有这个包,再安装一次就更新了这个包
[root@localhost ~]# yum -y install shadow-utils
可以在 /etc/subuid 和 /etc/subgid 查看,每个用户的值必须唯一且没有任何重叠。
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fec0a6296d77 docker.io/library/nginx:latest nginx -g daemon o... 10 minutes ago Up 10 minutes ago 0.0.0.0:80->80/tcp nginx
[root@localhost ~]# podman exec -it nginx /bin/bash
root@fec0a6296d77:/# id
uid=0(root) gid=0(root) groups=0(root)
root@fec0a6296d77:/# cat /etc/subuid
root@fec0a6296d77:/# useradd pyd
root@fec0a6296d77:/# cat /etc/subuid
test:100000:65536
该文件的格式为USERNAME:UID:RANGE
- 在/ etc / passwd或getpwent中列出的用户名。
- 为用户分配的初始uid。
- 为用户分配的UID范围的大小
用户的配置文件
三个主要的配置文件是container.conf,storage.conf和registries.conf。用户可以根据需要修改这些文件。
container.conf
Podman读取时,按照循序来了,当前面一位找不到时,就去找下一个
1./usr/share/containers/containers.conf
2./etc/containers/containers.conf
3.$HOME/.config/containers/containers.conf
storage.conf
storge.conf则是
1./etc/containers/storage.conf
2.$HOME/.config/containers/storage.conf
在普通用户中/etc/containers/storage.conf的一些字段将被忽略
graphroot=``""`` ``container storage graph ``dir` `(default: ``"/var/lib/containers/storage"``)`` ``Default directory to store all writable content created by container storage programs.` `runroot=``""`` ``container storage run ``dir` `(default: ``"/run/containers/storage"``)`` ``Default directory to store all temporary writable content created by container storage programs.
在普通用户中这些字段默认
graphroot=``"$HOME/.local/share/containers/storage"``runroot=``"$XDG_RUNTIME_DIR/containers"
registries.conf
配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改
1./etc/containers/registries.conf
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf
授权文件
podman login 登录,默认授权文件在${XDG_RUNTIME_DIR}/containers/auth.json
[root@localhost ~]# cat /run/user/0/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "********************="
}
}
}
1169
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
