无根环境中的基本设置
安装crun,修改配置文件
//安装crun
[root@192 ~]# dnf -y install crun
CentOS Stream 8 - AppStream 8.3 kB/s | 4.4 kB 00:00
CentOS Stream 8 - AppStream 655 kB/s | 24 MB 00:38
CentOS Stream 8 - BaseOS 6.6 kB/s | 3.9 kB 00:00
CentOS Stream 8 - BaseOS 910 kB/s | 25 MB 00:27
CentOS Stream 8 - Extras 7.0 kB/s | 2.9 kB 00:00
Dependencies resolved.
===================================================================================================
Package Architecture Version Repository Size
===================================================================================================
Installing:
crun x86_64 1.4.3-1.module_el8.7.0+1106+45480ee0 appstream 209 k
Installing dependencies:
yajl x86_64 2.1.0-11.el8 appstream 41 k
Transaction Summary
===================================================================================================
Install 2 Packages
Total download size: 250 k
Installed size: 602 k
Downloading Packages:
(1/2): yajl-2.1.0-11.el8.x86_64.rpm 132 kB/s | 41 kB 00:00
(2/2): crun-1.4.3-1.module_el8.7.0+1106+45480ee0.x86_64.rpm 446 kB/s | 209 kB 00:00
---------------------------------------------------------------------------------------------------
Total 308 kB/s | 250 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : yajl-2.1.0-11.el8.x86_64 1/2
Installing : crun-1.4.3-1.module_el8.7.0+1106+45480ee0.x86_64 2/2
Running scriptlet: crun-1.4.3-1.module_el8.7.0+1106+45480ee0.x86_64 2/2
Verifying : crun-1.4.3-1.module_el8.7.0+1106+45480ee0.x86_64 1/2
Verifying : yajl-2.1.0-11.el8.x86_64 2/2
Installed:
crun-1.4.3-1.module_el8.7.0+1106+45480ee0.x86_64 yajl-2.1.0-11.el8.x86_64
Complete!
[root@192 ~]# vi /usr/share/containers/containers.conf
# Default OCI runtime
#
runtime = "crun" //取消注释
#runtime = "runc"
//创建一个容器用nginx镜像
[root@192 ~]# podman run -d --name web -p 8080:8080 docker.io/library/nginx
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 27e0d286aeab done
Copying blob baf2da91597d done
Copying blob b1349eea8fc5 done
Copying blob 6a17c8e7063d done
Copying blob 1efc276f4ff9 done
Copying blob 05396a986fd3 done
Copying config b692a91e4e done
Writing manifest to image destination
Storing signatures
2cef1ea188df81480ebc53a18da5302332ea866361b5d2b560c50969e27a0a13
[root@192 ~]# podman inspect web |grep crun
"OCIRuntime": "crun",
//安装slirp4netns和fuse-overlayfs
[root@192 ~]# dnf -y install slirp4netns
Last metadata expiration check: 0:12:29 ago on Wed 17 Aug 2022 10:35:31 AM CST.
Package slirp4netns-1.1.8-2.module_el8.7.0+1106+45480ee0.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@192 ~]# dnf -y install fuse-overlayfs
Last metadata expiration check: 0:12:38 ago on Wed 17 Aug 2022 10:35:31 AM CST.
Package fuse-overlayfs-1.8.2-1.module_el8.7.0+1106+45480ee0.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
//修改配置文件
[root@192 ~]# vi /etc/containers/storage.conf
mount_program = "/usr/bin/fuse-overlayfs" //取消注释
//安装shadow-utils
[root@192 ~]# dnf -y install shadow-utils
Last metadata expiration check: 0:14:59 ago on Wed 17 Aug 2022 10:35:31 AM CST.
Package shadow-utils-2:4.6-16.el8.x86_64 is already installed.
Dependencies resolved.
===========================================================================================
Package Architecture Version Repository Size
===========================================================================================
Upgrading:
shadow-utils x86_64 2:4.6-17.el8 baseos 1.2 M
Transaction Summary
===========================================================================================
Upgrade 1 Package
Total download size: 1.2 M
Downloading Packages:
shadow-utils-4.6-17.el8.x86_64.rpm 618 kB/s | 1.2 MB 00:02
-------------------------------------------------------------------------------------------
Total 508 kB/s | 1.2 MB 00:02
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : shadow-utils-2:4.6-17.el8.x86_64 1/2
Cleanup : shadow-utils-2:4.6-16.el8.x86_64 2/2
Running scriptlet: shadow-utils-2:4.6-16.el8.x86_64 2/2
Verifying : shadow-utils-2:4.6-17.el8.x86_64 1/2
Verifying : shadow-utils-2:4.6-16.el8.x86_64 2/2
Upgraded:
shadow-utils-2:4.6-17.el8.x86_64
Complete!
//创建用户查看subuid和subgid
[root@192 ~]# useradd ray
[root@192 ~]# cat /etc/subgid
ray:100000:65536
[root@192 ~]# cat /etc/subuid
ray:100000:65536
//启用非特权ping
[root@192 ~]# sysctl -w "net.ipv4.ping_group_range=0 300000"
net.ipv4.ping_group_range = 0 300000
//用户配置文件
三个主要的配置文件是container.conf、storage.conf和registries.conf
[root@192 ~]# cat /usr/share/containers/containers.conf
[root@192 ~]# cat /etc/containers/containers.conf
[root@192 ~]# cat ~/.config/containers/containers.conf //优先级最高
//配置storage.conf文件
1./etc/containers/storage.conf
2.$HOME/.config/containers/storage.conf
//在普通用户中/etc/containers/storage.conf的一些字段将被忽略
[root@localhost ~]# vi /etc/containers/storage.conf
[storage]
# Default Storage Driver, Must be set for proper operation.
driver = "overlay" #此处改为overlay
.......
mount_program = "/usr/bin/fuse-overlayfs" #取消注释
//在普通用户中这些字段默认
graphroot="$HOME/.local/share/containers/storage"
runroot="$XDG_RUNTIME_DIR/containers"
registries.conf
配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改。
1./etc/containers/registries.conf
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf
//授权文件
[root@192 ~]# podman login
Username: raylight2002
Password:
Login Succeeded!
[root@192 ~]# cat /run/user/0/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "cmF5bGlnaHQyMDAyOmxvdmVsaXZlNw=="
}
}
}
//普通用户
[ray@192 ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[ray@192 ~]$ exit
logout
//root用户
[root@192 ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest b692a91e4e15 2 weeks ago 146 MB
卷
- 容器与root用户一起运行,则root容器中的用户实际上就是主机上的用户。
- UID GID是在/etc/subuid和/etc/subgid等中用户映射中指定的第一个UID GID。
- 如果普通用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则会看到它实际上是你的用户在主机上拥有的。
//在ray用户创建一个挂在卷目录
[ray@192 ~]$ podman run -it --name web0 -v /home/ray/data:/data:Z busybox /bin/sh
Failed to read /etc/containers/storage.conf toml: line 9: expected '.' or '=', but got '/' instead
Failed to read /etc/containers/storage.conf toml: line 9: expected '.' or '=', but got '/' instead
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 50783e0dfb64 done
Copying config 7a80323521 done
Writing manifest to image destination
Storing signatures
/ # ls
bin data dev etc home proc root run sys tmp usr var
/ # cd data
/data # touch 123 1 2
/data # ls
1 123 2
[ray@192 ~]$ ls /home/ray/data/ //挂在成功
1 123 2
/data # ls -l
total 0
-rw-r--r-- 1 root root 0 Aug 17 03:27 1
-rw-r--r-- 1 root root 0 Aug 17 03:27 123
-rw-r--r-- 1 root root 0 Aug 17 03:27 2
drwxr-xr-x 2 root root 6 Aug 17 03:34 6
//使用普通用户映射容器端口时会报错
[root@192 ~]# vi /etc/sysctl.conf
net.ipv4.ip_unprivileged_port_start=80 //配置后可映射大于80的端口
[root@192 ~]# sysctl -p
net.ipv4.ip_unprivileged_port_start = 80
net.ipv4.ping_group_range = 0 300000
[ray@192 ~]$ ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:8080 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*