podman应用
1. podman的基本设置和使用
Podman 是作为 libpod 库的一部分提供的实用程序。它可用于创建和维护容器。
需要在已经安装podman的环境下执行操作。
1.1 运行一个容器
- 示例容器运行一个非常基本的 httpd 服务器,它只服务于它的索引页面。
[root@localhost ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
> -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
> -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
> registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob aaf5ad2e1aa3 done
Copying blob 7692efc5f81c done
Copying blob d77ff9f653ce done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
15926f6088f3a146f925093afda8427b77f17a7bb35e62e81f5440f019a098fe
1.2 列出正在运行的容器
- Podman ps命令用于列出创建和运行的容器。
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
15926f6088f3 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 3 minutes ago Up 3 minutes ago 0.0.0.0:8080->8080/tcp nostalgic_ramanujan
//加上-a选项podman会显示所有容器
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e49b96d671ca docker.io/library/httpd:latest httpd-foreground 19 hours ago Created hopeful_fermat
15926f6088f3 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 4 minutes ago Up 4 minutes ago 0.0.0.0:8080->8080/tcp nostalgic_ramanujan
[root@localhost ~]#
1.3 查看容器ip并访问
- 可以使用 inspect 子命令来查看分配给容器的 IP 地址然后进行访问查看
//可以使用容器的 ID 代替 -l
[root@localhost ~]# podman inspect -l| grep -i ipaddress
"IPAddress": "10.88.0.2",
"IPAddress": "10.88.0.2",
[root@localhost ~]# podman port -l
8080/tcp -> 0.0.0.0:8080
[root@localhost ~]#
[root@localhost ~]# curl 10.88.0.2:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test Page for the Apache HTTP Server on Fedora</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
······
<p><a href="https://httpd.apache.org/"><img src="/icons/apache_pb2.gif" alt="[ Powered by Apache ]"/></a> <a href="https://getfedora.org/"><img src="/icons/poweredby.png" alt="[ Powered by Fedora ]" width="88" height="31" /></a></p>
</div>
</div>
</div>
</div>
</body>
</html>
1.4 查看容器的日志
[root@localhost ~]# podman logs -l
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.2. Set the 'ServerName' directive globally to suppress this message
······
10.88.0.1 - - [15/Aug/2022:10:12:40 +0000] "GET / HTTP/1.1" 403 4650 "-" "curl/7.61.1"
[root@localhost ~]#
1.5 查看容器的pid
- 可用使用top观察容器中的httpd pid
[root@localhost ~]# podman top -l
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
default 1 0 0.000 33m5.235551149s pts/0 0s httpd -D FOREGROUND
default 21 1 0.000 33m5.235765341s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 22 1 0.000 33m4.235807117s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 23 1 0.000 33m4.235845924s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 24 1 0.000 33m4.235882158s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 25 1 0.000 33m4.235928722s pts/0 0s httpd -D FOREGROUND
default 26 1 0.000 33m4.235967363s pts/0 0s httpd -D FOREGROUND
default 27 1 0.000 33m4.236006615s pts/0 0s httpd -D FOREGROUND
default 28 1 0.000 33m4.236068582s pts/0 0s httpd -D FOREGROUND
1.6 检查点容器
- 检查点容器会停止容器,同时将容器中所有进程的状态写入磁盘。有了这个,容器可以稍后恢复并在与检查点完全相同的时间点继续运行。
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
15926f6088f3 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 39 minutes ago Up 39 minutes ago 0.0.0.0:8080->8080/tcp nostalgic_ramanujan
[root@localhost ~]# podman container checkpoint -l
15926f6088f3a146f925093afda8427b77f17a7bb35e62e81f5440f019a098fe
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]#
1.7 恢复容器
[root@localhost ~]# podman container restore -l
15926f6088f3a146f925093afda8427b77f17a7bb35e62e81f5440f019a098fe
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
15926f6088f3 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 43 minutes ago Up 43 minutes ago 0.0.0.0:8080->8080/tcp nostalgic_ramanujan
[root@localhost ~]#
1.8 停止删除容器
[root@localhost ~]# podman stop -l
15926f6088f3a146f925093afda8427b77f17a7bb35e62e81f5440f019a098fe
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# podman rm -l
15926f6088f3a146f925093afda8427b77f17a7bb35e62e81f5440f019a098fe
2. 签名和分发容器镜像
- 生成一个GPG密钥
[root@localhost ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) y
invalid value
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: sefsef@144.com
Email address: sefsef@144.com
Comment: jii
You selected this USER-ID:
"sefsef@144.com (jii) <sefsef@144.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 31F971F3787F791F marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/4F63C8FB2D286CB611A79B8B31F971F3787F791F.rev'
public and secret key created and signed.
pub rsa2048 2022-08-15 [SC]
4F63C8FB2D286CB611A79B8B31F971F3787F791F
uid sefsef@144.com (jii) <sefsef@144.com>
sub rsa2048 2022-08-15 [E]
[root@localhost ~]#
- 查看keys
[root@localhost ~]# gpg --list-keys sefsef@144.com
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub rsa2048 2022-08-15 [SC]
4F63C8FB2D286CB611A79B8B31F971F3787F791F
uid [ultimate] sefsef@144.com (jii) <sefsef@144.com>
sub rsa2048 2022-08-15 [E]
- 先运行一个容器
[root@localhost ~]# podman run -d -p 5000:5000 docker.io/registry
Trying to pull docker.io/library/registry:latest...
Getting image source signatures
Copying blob 44c4c74a95e4 done
Copying blob 74a97d2d84d9 done
Copying blob 4c2fb79b7ce6 done
Copying blob 5299e6f78605 done
Copying blob 213ec9aee27d done
Copying config 3a0f7b0a13 done
Writing manifest to image destination
Storing signatures
b98d29c1cc9b0db0b06e519c1b183780547254912215abfff3c706d065fa5180
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:5000 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@localhost ~]#
- 拉取一个镜像
[root@localhost ~]# podman pull docker://docker.io/alpine:latest
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 213ec9aee27d skipped: already exists
Copying config 9c6f072447 done
Writing manifest to image destination
Storing signatures
9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5
[root@localhost ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest 9c6f07244728 5 days ago 5.83 MB
[root@localhost ~]#
- 重新标记镜像并指向注册表
[root@localhost ~]# podman tag alpine localhost:5000/alpine
[root@localhost ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest 9c6f07244728 5 days ago 5.83 MB
localhost:5000/alpine latest 9c6f07244728 5 days ago 5.83 MB
[root@localhost ~]#
- 修改注册表配置
[root@localhost ~]# cd /etc/containers/
[root@localhost containers]# ls
certs.d oci policy.json registries.conf registries.conf.d registries.d storage.conf
[root@localhost containers]# cd registries.d
[root@localhost registries.d]# ls
default.yaml registry.access.redhat.com.yaml registry.redhat.io.yaml
[root@localhost registries.d]# vim default.yaml
16 sigstore: http://localhost:8000 //加入此行配置
- 推送签署镜像
[root@localhost ~]# podman push --tls-verify=false --sign-by sefsef@144.com localhost:5000/alpine
Getting image source signatures
Copying blob 994393dc58e7 done
Copying config 9c6f072447 done
Writing manifest to image destination
Signing manifest
Storing signatures
[root@localhost ~]#
- 查看系统签名存储
[root@localhost ~]# ls /var/lib/containers/sigstore
'alpine@sha256=e89c741df8cf66a2ada32d34844bcf6b5cfe3a9e2f6846b4c90b9165bc87d7ef'
[root@localhost ~]#
- 在本地临时签名存储中启动一个新的服务
[root@localhost ~]# dnf module list | grep python
Failed to set locale, defaulting to C.UTF-8
libselinux-python 2.8 common Python 2 bindings for libselinux
python27 2.7 [d] common [d] Python programming language, version 2.7
python36 3.6 [d] build, common [d] Python programming language, version 3.6
python38 3.8 [d] build, common [d] Python programming language, version 3.8
python39 3.9 [d] build, common [d] Python programming language, version 3.9
[root@localhost ~]# dnf module install python38 -y
·····
[root@localhost ~]# cd /var/lib/containers/
[root@localhost containers]# ls
cache sigstore storage
[root@localhost containers]# cd sigstore/
[root@localhost sigstore]# ls
'alpine@sha256=e89c741df8cf66a2ada32d34844bcf6b5cfe3a9e2f6846b4c90b9165bc87d7ef'
[root@localhost sigstore]# pwd
/var/lib/containers/sigstore
[root@localhost sigstore]# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
//添加规则
[root@localhost ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=192.168.183.0/24 port port=8000 protocol=tcp accept' --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]#
- 访问一下
- 删除镜像进行测试
[root@localhost ~]# podman rmi docker.io/alpine localhost:5000/alpine
Untagged: docker.io/library/alpine:latest
Untagged: localhost:5000/alpine:latest
Deleted: 9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5
[root@localhost ~]#
3. podman容器管理命名
3.1 create
- 创建容器
[root@localhost ~]# podman container create httpd
f8609220bbfbc4dad72da94eda93fa579194cf148719dcf3012bfa10e823d52e
[root@localhost ~]#
//也可以--name指定容器名
[root@localhost ~]# podman container create --name lis httpd
8e8b79c268f19d3e36015659b32788671d200daf7864e9fa272168b0b31984ce
[root@localhost ~]#
3.2 start
- 启动容器
[root@localhost ~]# podman container start lis f8609220bbfb
lis
f8609220bbfb
[root@localhost ~]#
3.3 ps&list
- 容器列表
[root@localhost ~]# podman container list
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f8609220bbfb docker.io/library/httpd:latest httpd-foreground 5 minutes ago Up 15 seconds ago agitated_austin
8e8b79c268f1 docker.io/library/httpd:latest httpd-foreground 3 minutes ago Up 15 seconds ago lis
[root@localhost ~]# podman container ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f8609220bbfb docker.io/library/httpd:latest httpd-foreground 5 minutes ago Up 21 seconds ago agitated_austin
8e8b79c268f1 docker.io/library/httpd:latest httpd-foreground 3 minutes ago Up 21 seconds ago lis
[root@localhost ~]#
//参数
-a 或 --all //列出所有容器,包括未运行
-s 或 --size //查看本地机上所有运行实例的大小
-q 或 --quiet //查看容器id
3.4 rename
- 重命名容器
[root@localhost ~]# podman container rename lis web
[root@localhost ~]# podman container list
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f8609220bbfb docker.io/library/httpd:latest httpd-foreground 7 minutes ago Up 2 minutes ago agitated_austin
8e8b79c268f1 docker.io/library/httpd:latest httpd-foreground 5 minutes ago Up 2 minutes ago web
[root@localhost ~]#
3.5 stop
- 停止容器
[root@localhost ~]# podman container stop web f8609220bbfb
web
f8609220bbfb
[root@localhost ~]# podman container ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]#
3.6 restart
- 重启容器
[root@localhost ~]# podman container restart web
8e8b79c268f19d3e36015659b32788671d200daf7864e9fa272168b0b31984ce
[root@localhost ~]# podman container ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8e8b79c268f1 docker.io/library/httpd:latest httpd-foreground 6 minutes ago Up 1 second ago web
[root@localhost ~]#
3.7 run
- 在容器中运行命令
[root@localhost ~]# podman container run -itd --name ls busybox
7e63175f95af1f8ac3915b511235d8b57ed884b3c616300c2f17fc34c160379b
[root@localhost ~]# podman container ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8e8b79c268f1 docker.io/library/httpd:latest httpd-foreground 8 minutes ago Up About a minute ago web
7e63175f95af docker.io/library/busybox:latest sh 8 seconds ago Up 8 seconds ago ls
[root@localhost ~]#
3.8 attach
- 连接到运行的容器
[root@localhost ~]# podman container attach ls
/ # ls
bin dev etc home proc root run sys tmp usr var
/ #
3.9 exec
- 在运行的容器中运行进程
[root@localhost ~]# podman container exec -it ls /bin/sh
/ # ls
bin dev etc home proc root run sys tmp usr var
3.10 cp
- 在容器和本地文件中进行复制
[root@localhost ~]# podman container cp a hh:/
[root@localhost ~]# podman container exec -it hh /bin/sh
/ # ls
a bin dev etc home proc root run sys tmp usr var
3.11 diff
- 检查对文件的系统的更改
[root@localhost ~]# podman container diff ls
C /etc
C /root
A /root/.ash_history
[root@localhost ~]#
3.12 inspect
- 显示容器配置
[root@localhost ~]# podman container inspect ls
[
{
"Id": "7e63175f95af1f8ac3915b511235d8b57ed884b3c616300c2f17fc34c160379b",
"Created": "2022-08-15T22:24:43.733870154+08:00",
"Path": "sh",
"Args": [
"sh"
],
······
3.13 stats
- 显示容器使用资源的状态
[root@localhost ~]# podman container stats web
ID NAME CPU % MEM USAGE / LIMIT MEM % NET IO BLOCK IO PIDS CPU TIME AVG CPU %
8e8b79c268f1 web 0.00% 12.31MB / 2.04GB 0.60% 978B / 2.482kB -- / -- 82 51.741896ms 0.00%
3.14 top
- 显示容器的运行进程
[root@localhost ~]# podman container top web
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 8m47.931336115s ? 0s httpd -DFOREGROUND
www-data 7 1 0.000 8m47.931476923s ? 0s httpd -DFOREGROUND
www-data 8 1 0.000 8m47.931508918s ? 0s httpd -DFOREGROUND
www-data 9 1 0.000 8m47.931538324s ? 0s httpd -DFOREGROUND
[root@localhost ~]#
3.15 logs
- 获取容器日志
[root@localhost ~]# podman container logs web
/ # ls
bin dev etc home proc root run sys tmp usr var
/ # exit
3.16 kill
- 使用特定信号终止容器
[root@localhost ~]# podman kill web
web
[root@localhost ~]# podman container ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]#
3.17 port
- 列出端口映射
[root@localhost ~]# podman container run -d --name lsls -p 80:80 httpd
4d35406c2b76a7dd266f0be533b3f79c1b130cf43b7f93bebb9bb803071a4ede
[root@localhost ~]# podman container port lsls
80/tcp -> 0.0.0.0:80
[root@localhost ~]#
3.18 rm
- 移除容器
[root@localhost ~]# podman stop lsls
lsls
[root@localhost ~]# podman container rm lsls
4d35406c2b76a7dd266f0be533b3f79c1b130cf43b7f93bebb9bb803071a4ede
[root@localhost ~]# podman container ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]#
3万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
