podman容器
podman网络
运行容器前
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:76:67:c7 brd ff:ff:ff:ff:ff:ff
inet 192.168.237.138/24 brd 192.168.237.255 scope global dynamic noprefixroute ens33
valid_lft 1758sec preferred_lft 1758sec
inet6 fe80::20c:29ff:fe76:67c7/64 scope link noprefixroute
valid_lft forever preferred_lft forever
运行容器
[root@localhost ~]# podman run -d --name web httpd
374a25e90b2aac0432efefa1b6014694e987b53ca6c796b2b7a7fd78f713aaed
[root@localhost ~]# docker ps
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
374a25e90b2a docker.io/library/httpd:latest httpd-foreground 3 seconds ago Up 3 seconds ago web
//查看IP
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:76:67:c7 brd ff:ff:ff:ff:ff:ff
inet 192.168.237.138/24 brd 192.168.237.255 scope global dynamic noprefixroute ens33
valid_lft 1684sec preferred_lft 1684sec
inet6 fe80::20c:29ff:fe76:67c7/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 26:e5:5c:58:b7:e9 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::24e5:5cff:fe58:b7e9/64 scope link
valid_lft forever preferred_lft forever
4: vethb117d282@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether ea:f0:97:1e:17:4b brd ff:ff:ff:ff:ff:ff link-netns cni-26ca3803-5ddc-7667-a1ed-358629de4f21
inet6 fe80::e8f0:97ff:fe1e:174b/64 scope link
valid_lft forever preferred_lft forever
//关闭容器,cni网卡还存在
[root@localhost ~]# podman stop -l
374a25e90b2aac0432efefa1b6014694e987b53ca6c796b2b7a7fd78f713aaed
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:76:67:c7 brd ff:ff:ff:ff:ff:ff
inet 192.168.237.138/24 brd 192.168.237.255 scope global dynamic noprefixroute ens33
valid_lft 1601sec preferred_lft 1601sec
inet6 fe80::20c:29ff:fe76:67c7/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 26:e5:5c:58:b7:e9 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::24e5:5cff:fe58:b7e9/64 scope link
valid_lft forever preferred_lft forever
//删除容器,cni网卡也还在
[root@localhost ~]# podman rm -l
374a25e90b2aac0432efefa1b6014694e987b53ca6c796b2b7a7fd78f713aaed
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:76:67:c7 brd ff:ff:ff:ff:ff:ff
inet 192.168.237.138/24 brd 192.168.237.255 scope global dynamic noprefixroute ens33
valid_lft 1519sec preferred_lft 1519sec
inet6 fe80::20c:29ff:fe76:67c7/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 26:e5:5c:58:b7:e9 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::24e5:5cff:fe58:b7e9/64 scope link
valid_lft forever preferred_lft forever
//创建网络
[root@localhost ~]# podman network create test
/etc/cni/net.d/test.conflist
[root@localhost ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
9f86d081884c test 0.4.0 bridge,portmap,firewall,tuning
podman容器开机自启
root用户
//运行一个容器
[root@localhost ~]# podman create --name httpd httpd
c0358f167157b321bf8db663f985ee5549878129a825ee74d87cf6bcf1abd707
//生成service文件,并移动到/usr/lib/systemd/system/目录下
[root@localhost ~]# podman generate systemd --new --files --name httpd
/root/container-httpd.service
[root@localhost ~]# ls
anaconda-ks.cfg container-httpd.service
[root@localhost ~]# mv container-httpd.service /usr/lib/systemd/system/
//查看状态
[root@localhost ~]# systemctl status container-httpd.service
● container-httpd.service - Podman container-httpd.service
Loaded: loaded (/usr/lib/systemd/system/container-httpd.service; static; vendor preset: disabled)
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
/启动服务
[root@localhost ~]# systemctl enable --now container-httpd
[root@localhost ~]# systemctl status container-httpd
● container-httpd.service - Podman container-httpd.service
Loaded: loaded (/usr/lib/systemd/system/container-httpd.service; enabled;>
Active: active (running) since Tue 2021-12-14 18:40:28 CST; 37s ago
Docs: man:podman-generate-systemd(1)
//查看容器状态
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c0358f167157 docker.io/library/httpd:latest httpd-foreground 3 seconds ago Up 4 seconds ago httpd
普通用户
//普通用户使用ssh连接
[root@192 ~]# useradd test
[root@192 ~]# echo '123' |passwd --stdin test
Changing password for user test.
passwd: all authentication tokens updated successfully.
[root@192 ~]# ssh test@192.168.237.138
The authenticity of host '192.168.237.138 (192.168.237.138)' can't be established.
ECDSA key fingerprint is SHA256:WJhWep5f5qOLTv3RtwQdNO1iiIBNtor5EYVy0+2mDac.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.218.144' (ECDSA) to the list of known hosts.
test@192.168.237.138's password:
//运行一个容器,非root用户只能映射1024以上的端口,1024以下的端口只能root用户映射。
[test@192 ~]$ podman run -d --name nginx -p 8080:80 docker.io/library/nginx
d39217970fc659030b42ff57f8321d98c8455c3991f273b065b6ef0913a6165b
[test@192 ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
70fc659030b3 docker.io/library/nginx:latest nginx -g daemon o... About a minute ago Up About a minute ago 0.0.0.0:8080->80/tcp nginx
//创建service文件目录结构,必须按照以下要求创建,任何都不能更改
[test@192 ~]$ mkdir -p ~/.config/systemd/user/
[test@192 ~]$ cd .config/systemd/user/
[test@192 user]$ pwd
/home/test/.config/systemd/user
//生成service文件
[test@192 user]$ podman generate systemd --name nginx --files --new
/home/test/.config/systemd/user/container-nginx.service
[test@192 user]$ cat container-nginx.service
# container-nginx.service
# autogenerated by Podman 3.3.1
# Wed Dec 15 09:58:03 CST 2021
[Unit]
Description=Podman container-nginx.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/%n.ctr-id
ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --sdnotify=conmon --cgroups=no-conmon --rm --replace -d --name nginx -p 8080:80 docker.io/library/nginx
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all
[Install]
WantedBy=multi-user.target default.target
//手动关闭容器,以便后续测试开机自启
[test@192 user]$ podman stop nginx
nginx
//重载服务,设置开机自启,无根用户启动时需要加上--user
[test@192 user]$ systemctl --user daemon-reload
[test@192 user]$ systemctl --user enable container-nginx.service --now
Created symlink /home/test/.config/systemd/user/multi-user.target.wants/container-nginx.service → /home/test/.config/systemd/user/container-nginx.service.
Created symlink /home/test/.config/systemd/user/default.target.wants/container-nginx.service → /home/test/.config/systemd/user/container-nginx.service.
//查看状态
[test@192 user]$ systemctl --user status container-nginx
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/home/test/.config/systemd/user/container-nginx.service; enabled>
Active: active (running) since Wed 2021-12-15 10:01:13 CST; 1min 23s ago
Docs: man:podman-generate-systemd(1)
Process: 4245 ExecStartPre=/bin/rm -f /run/user/1000/container-nginx.service.ctr->
Main PID: 4306 (conmon)
CGroup: /user.slice/user-1000.slice/user@1000.service/container-nginx.service
├─4285 /usr/bin/fuse-overlayfs -o ,lowerdir=/home/test/.local/share/cont>
├─4286 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable>
├─4289 containers-rootlessport
├─4297 containers-rootlessport-child
├─4306 /usr/bin/conmon --api-version 1 -c 341f5016425eaa80eaf8b4b35ae165>
└─341f5016425eaa80eaf8b4b35ae165ca09f9ce39f4629aa0de49f61153097a71
├─4318 nginx: master process nginx -g daemon off;
├─4357 nginx: worker process
├─4358 nginx: worker process
├─4359 nginx: worker process
└─4360 nginx: worker process
//nginx容器已设置开机自启,查看容器是否运行
[test@192 user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
341f5016425e docker.io/library/nginx:latest nginx -g daemon o... 2 minutes ago Up 2 minutes ago 0.0.0.0:8080->80/tcp nginx
//服务关闭,容器自动删除
[test@192 user]$ systemctl --user stop container-nginx.service
[test@192 user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[test@192 user]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS
//服务启动,容器自动创建并运行
[test@192 user]$ systemctl --user start container-nginx.service
[test@192 user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
aa2b3cffa5b1 docker.io/library/nginx:latest nginx -g daemon o... 4 seconds ago Up 4 seconds ago 0.0.0.0:8080->80/tcp nginx
//重启主机
[root@192 ~]# reboot //切换到root用户reboot
[root@192 ~]# ssh test@192.168.237.138
test@192.168.237.138's password:
Last login: Wed Dec 15 19:26:49 2021
[test@192 ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
111704eb89b4 docker.io/library/nginx:latest nginx -g daemon o... 4 seconds ago Up 5 seconds ago 0.0.0.0:8080->80/tcp nginx
[test@192 user]$ systemctl --user status container-nginx.service
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/home/test/.config/systemd/user/container-nginx.service; enabled>
Active: active (running) since Wed 2021-12-15 10:28:15 CST; 44s ago
Docs: man:podman-generate-systemd(1)
Process: 1409 ExecStartPre=/bin/rm -f /run/user/1000/container-nginx.service.ctr->
Main PID: 1541 (conmon)
CGroup: /user.slice/user-1000.slice/user@1000.service/container-nginx.service
├─1475 /usr/bin/podman
├─1516 /usr/bin/fuse-overlayfs -o ,lowerdir=/home/test/.local/share/cont>
├─1517 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable>
├─1523 containers-rootlessport
├─1531 containers-rootlessport-child
├─1541 /usr/bin/conmon --api-version 1 -c 111704eb89b47924f91f39f688f29f>
└─111704eb89b47924f91f39f688f29f95c1f4e305fa9bbfbbc233e15470ad4813
├─1553 nginx: master process nginx -g daemon off;
├─1589 nginx: worker process
├─1590 nginx: worker process
├─1591 nginx: worker process
└─1592 nginx: worker process
//查看普通用户是否有systemd的权限
[test@192 user]$ loginctl user-status test
test (1000)
Since: Wed 2021-12-15 09:48:56 CST; 17min ago
State: active //active表示含有此权限,没有权限会显示linger
//如果普通用户没有systemd权限,可以执行以下命令开启systemd权限
loginctl enable-linger <username>