无根用户管理podman
1. 安装podman
[root@localhost ~]# dnf install -y podman
2. 配置加速器
- 版本8配置
[root@localhost ~]# vim /etc/containers/registries.conf
22 #unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "reg istry.centos.org", "docker.io"] //注释掉此行
23 unqualified-search-registries = ["docker.io"] //添加一个docker.io
24
25 [[registry]]
26 prefix = "docker.io"
27 location = "8r73devx.mirror.aliyuncs.com"
3. 用户操作
- 在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置
- cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroupV2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroupV2,必须切换到备用OCI运行时crun。
[root@localhost ~]# dnf -y install crun
Failed to set locale, defaulting to C.UTF-8
······
Complete!
[root@localhost ~]# vim /usr/share/containers/containers.conf
448 runtime = "crun" //取消注释
[root@localhost ~]# podman run -d --name web nginx
Resolving "nginx" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob b4df32aa5a72 done
Copying blob 186b1aaa4aa6 done
Copying blob 589b7251471a done
Copying blob a0bcbecc962e done
Copying blob a2abf6c4d29d done
Copying blob a9edb18cadd1 done
Copying config 605c77e624 done
Writing manifest to image destination
Storing signatures
4c32365910d011a2a49b113b179fbbd18f576423af8c2d276d5d091074b8f23d
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4c32365910d0 docker.io/library/nginx:latest nginx -g daemon o... 8 seconds ago Up 8 seconds ago web
[root@localhost ~]# podman inspect web | grep -i ociruntime
"OCIRuntime": "crun",
[root@localhost ~]#
- 安装slirp4netns和fuse-overlayfs
[root@localhost ~]# dnf -y install slirp4netns fuse-overlayfs
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:08:21 ago on Tue Aug 16 23:08:53 2022.
Package slirp4netns-1.1.8-1.module_el8.6.0+926+8bef8ae7.x86_64 is already installed.
Package fuse-overlayfs-1.7.1-1.module_el8.6.0+926+8bef8ae7.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete! //默认已经存在
[root@localhost ~]# vim /etc/containers/storage.conf
77 mount_program = "/usr/bin/fuse-overlayfs" //取消注释
- 配置subuid及subgid
[root@localhost ~]# dnf -y install shadow-utils
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:11:02 ago on Tue Aug 16 23:08:53 2022.
Package shadow-utils-2:4.6-16.el8.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@localhost ~]# useradd lis
[root@localhost ~]# useradd lis1
[root@localhost ~]# cat /etc/subuid
lis:100000:65536
lis1:165536:65536
[root@localhost ~]# cat /etc/subgid
lis:100000:65536
lis1:165536:65536
[root@localhost ~]#
- usermod修改起始id
[root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 lis
[root@localhost ~]# cat /etc/subuid
lis:100000:65536
lis1:165536:65536
lis:200000:1001
[root@localhost ~]# cat /etc/subgid
lis:100000:65536
lis1:165536:65536
lis:200000:1001
[root@localhost ~]#
- 启动非特权ping
//使用命令
[root@localhost ~]# sysctl -w "net.ipv4.ping_group_range=0 200000"
net.ipv4.ping_group_range = 0 200000
//修改配置文件永久生效
[root@localhost ~]# vim /etc/sysctl.conf
net.ipv4.ping_group_range = 0 200000 //0 200000就是从100000开始,到200000区间内的用户都可使用podman
- 修改用户配置文件
三个主要的配置文件是container.conf、storage.conf和registries.conf。用户可以根据需要修改这些文件。
- container.conf文件
容器配置文件
优先级(从上到下,由高到低)
$HOME/.config/containers/containers.conf //优先级最高
/etc/containers/containers.conf
/usr/share/containers/containers.conf //优先级最低,默认就存在
如果它们以该顺序存在。每个文件都可以覆盖比自己优先级低一级的文件。
- storage.conf文件
存储配置文件
优先级(从上到下,由高到低)
$HOME/.config/containers/storage.conf
/etc/containers/storage.conf
在普通用户中**/etc/containers/storage.conf**的一些字段将被忽略
[root@podman ~]# vim /etc/containers/storage.conf
[storage]
driver = "overlay" //修改为overlay,一般默认就是overlay
runroot = "/run/containers/storage" //默认
graphroot = "/var/lib/containers/storage" //这也是默认
mount_program = "/usr/bin/fuse-overlayfs" //取消注释,centos8都是默认
- 设置无根用户数量
//命令修改
[root@localhost ~]# sysctl user.max_user_namespaces=15000
user.max_user_namespaces = 15000
//修改配置文件
[root@localhost ~]# vim /etc/sysctl.conf
user.max_user_namespaces=15000
- registries.conf文件
优先级(从上到下,由高到低)
$HOME/.config/containers/registries.conf
/etc/containers/registries.d/*
/etc/containers/registries.conf
- 授权文件
[root@podman ~]# podman login
Username: 5152486221
Password:
Login Succeeded!
[root@podman ~]# cat /run/user/0/containers/auth.json
{
"auths": {
"registry.fedoraproject.org": {
"auth": "MjUwNDg3NTk5Nzp3eGgyMDAyMDQyMw=="
}
}
}[root@podman ~]#
- 用户之间的隔离
无根用户(普通用户)是无法看见根用户(root用户)的镜像的;相反根用户也是无法看见无根用户的镜像,容器也是一样
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 605c77e624dd 7 months ago 146 MB
[root@localhost ~]# su - lis1
[lis1@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[lis1@localhost ~]$
4. 无根用户的卷管理
- 容器与root用户一起运行,则root容器中的用户实际上就是主机上的用户。
- UID GID是在/etc/subuid和/etc/subgid等中用户映射中指定的第一个UID GID。
- 如果普通用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则会看到它实际上是你的用户在主机上拥有的。
//无根用户挂载卷
[root@localhost ~]# su - lis1
Last login: Tue Aug 16 23:35:08 CST 2022 on pts/0
[lis1@localhost ~]$ mkdir lll
[lis1@localhost ~]$ podman run -it -v `pwd`/lll:/lll docker.io/library/busybox /bin/sh
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 5cc84ad355aa done
Copying config beae173cca done
Writing manifest to image destination
Storing signatures
/ # ls -ld lll/
drwxrwxr-x 2 root root 6 Aug 16 15:36 lll/
/ # cd lll/
/lll # touch 123
/lll # ls -l
total 0
-rw-r--r-- 1 root root 0 Aug 16 15:38 123
total 0
/lll # exit
//在本机上查看
[lis1@localhost ~]$ ll lll/
total 0
-rw-r--r-- 1 lis1 lis1 0 Aug 16 15:44 123
//再次写入内容
[lis1@localhost ~]$ echo "hello world!" > lll/123
[lis1@localhost ~]$ cat lll/123
hello world!
[lis1@localhost ~]$
//查看
[lis1@localhost ~]$ podman start -l
8c3864b6ac26692d639bd4d92e9e46d8b2cc98aff8fad7e4a0fd1e296cd5137e
[lis1@localhost ~]$ podman exec -it -l /bin/sh
/ # cat lll/123
hello world!
//可以看见文件的属主属组都属于root
/ # ls -ld lll/
drwxrwxr-x 2 root root 17 Aug 16 15:44 lll/
/ # ls -l lll/
-rw-r--r-- 1 root root 8 Aug 16 15:50 123
//让其属于tom用户,只需要在运行容器的时候加上一个--userns=keep-id即可。
[lis1@localhost ~]$ podman rm -f -l
8c3864b6ac26692d639bd4d92e9e46d8b2cc98aff8fad7e4a0fd1e296cd5137e
[lis1@localhost ~]$ podman run -it -v `pwd`/lll:/lll --userns=keep-id docker.io/library/busybox /bin/sh
~ $ ls -ld lll/
drwxrwxr-x 2 lis1 lis1 17 Aug 16 15:44 lll/
~ $ ls -l lll/
total 4
-rw-r--r-- 1 lis1 lis1 8 Aug 16 15:50 123
6. 使用普通用户映射容器端口
使用普通用户映射容器端口时会报“ permission denied”的错误
普通用户可以映射>= 1024的端口
[lis1@localhost ~]$ podman run -d -p 82:80 nginx
Resolving "nginx" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob a0bcbecc962e done
Copying blob 186b1aaa4aa6 done
Copying blob 589b7251471a done
Copying blob a9edb18cadd1 done
Copying blob b4df32aa5a72 done
Copying blob a2abf6c4d29d done
Copying config 605c77e624 done
Writing manifest to image destination
Storing signatures
Error: rootlessport cannot expose privileged port 82, you can add 'net.ipv4.ip_unprivileged_port_start=82' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:82: bind: permission denied
[lis1@localhost ~]$
//到root用户修改配置文件,生效配置
[root@localhost ~]# vim /etc/sysctl.conf
net.ipv4.ip_unprivileged_port_start = 80
[root@localhost ~]# sysctl -p
net.ipv4.ping_group_range = 0 200000
user.max_user_namespaces = 15000
net.ipv4.ip_unprivileged_port_start = 80
[root@localhost ~]#
//到无根用户做端口映射
[root@localhost ~]# su - lis1
Last login: Tue Aug 16 23:36:13 CST 2022 on pts/0
[lis1@localhost ~]$ podman run -d -p 82:80 nginx
73200e51247223bbf6f97b24096f3fdf2c2fd823aff0a99cb2fa0ca0ba48d29d
[lis1@localhost ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
73200e512472 docker.io/library/nginx:latest nginx -g daemon o... 5 seconds ago Up 6 seconds ago 0.0.0.0:82->80/tcp frosty_mclaren
[lis1@localhost ~]$
7. 无根用户容器网络设置
无根用户的容器在podman4.10版本之前是没有ip的,是通过slirp4netns进行流量转发的。
[lis1@localhost ~]$ podman run -itd --name hhh busybox
e1d7edaa3911b7ac99d1aae68019bb790a862ad9c4aec48f8032d3076c5f7d7a
[lis1@localhost ~]$ podman inspect -l |grep -i ipaddress
"IPAddress": "",
//没有ip不影响访问外网,会生成一张tap0的虚拟网卡
[lis1@localhost ~]$ podman exec -it -l /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel qlen 1000
link/ether b6:0f:14:32:98:84 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0
valid_lft forever preferred_lft forever
inet6 fe80::b40f:14ff:fe32:9884/64 scope link
valid_lft forever preferred_lft forever
/ # ping www.baidu.com
PING www.baidu.com (14.215.177.39): 56 data bytes
64 bytes from 14.215.177.39: seq=0 ttl=255 time=53.544 ms
64 bytes from 14.215.177.39: seq=1 ttl=255 time=38.511 ms
64 bytes from 14.215.177.39: seq=2 ttl=255 time=33.739 ms
^C
--- www.baidu.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 33.739/41.931/53.544 ms
/ #
611
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
