安装
centos官方yum源目前更新至podman-1.4.4,距离最新的1.5并不太远,所以,centos7上直接yum install -y podman就行。
启动
podman search busybox
podman pull docker.io/library/busybox
podman run -it –rm busybox
查看相关进程:
进程分析:
podman进程并没有立即退出
podman进程也不是容器进程(2953)的祖先进程,
conmon(2943)进程才是容器进程的父进程
通过execsnoop了解podman的基本逻辑:
3182 2530 podman run -it --rm busybox
3188 3187 /usr/sbin/iptables --version
3189 3187 /usr/sbin/ip6tables --version
3195 3193 /usr/libexec/cni/loopback
3200 3193 /usr/libexec/cni/bridge
3206 3200 /usr/libexec/cni/host-local
3212 3200 /usr/sbin/iptables --version
3213 3200 /usr/sbin/iptables -t nat -S --wait
3214 3200 /usr/sbin/iptables -t nat -N CNI-d286860d1f2c10088f58c4fa --wait
3215 3200 /usr/sbin/iptables -t nat -C CNI-d286860d1f2c10088f58c4fa -d 10.88.0.4/16 -j ACCEPT [...]
3216 3200 /usr/sbin/iptables -t nat -A CNI-d286860d1f2c10088f58c4fa -d 10.88.0.4/16 -j ACCEPT [...]
3217 3194 /usr/lib/systemd/systemd-sysctl --prefix=/net/ipv4/conf/vethaec894ac --prefix=/net/ipv4/neigh/vethaec894ac --prefix=/net/ipv6/conf/vethaec894ac --prefix=/net/ipv6/neigh/vethaec894ac
3218 3200 /usr/sbin/iptables -t nat -C CNI-d286860d1f2c10088f58c4fa ! -d 224.0.0.0/4 -j [...]
3219 3200 /usr/sbin/iptables -t nat -A CNI-d286860d1f2c10088f58c4fa ! -d 224.0.0.0/4 -j [...]
3220 3200 /usr/sbin/iptables -t nat -C POSTROUTING -s 10.88.0.4 -j CNI-d286860d1f2c10088f58c4fa [...]
3221 3200 /usr/sbin/iptables -t nat -A POSTROUTING -s 10.88.0.4 -j CNI-d286860d1f2c10088f58c4fa [...]
3222 3190 /usr/libexec/cni/portmap
3226 3190 /usr/sbin/iptables -t filter -S --wait
3227 3190 /usr/sbin/iptables -t filter -S --wait
3228 3190 /usr/sbin/iptables -t filter -C FORWARD -m comment --comment CNI firewall plugin rules [...]
3229 3190 /usr/sbin/iptables -t filter -C CNI-FORWARD -m comment --comment CNI firewall plugin rules [...]
3230 3190 /usr/sbin/iptables -t filter -C CNI-FORWARD -d 10.88.0.4/32 -m conntrack [...]
3231 3190 /usr/sbin/iptables -t filter -A CNI-FORWARD -d 10.88.0.4/32 -m conntrack [...]
3232 3190 /usr/sbin/iptables -t filter -C CNI-FORWARD -s 10.88.0.4/32 -j ACCEPT [...]
3233 3190 /usr/sbin/iptables -t filter -A CNI-FORWARD -s 10.88.0.4/32 -j ACCEPT [...]
3234 3191 /usr/libexec/podman/conmon -s -c 25320a1e64226351a66056671a5f0c8c382204b3ea183d69d1fce06293164f8d -u 25320a1e64226351a66056671a5f0c8c382204b3ea183d69d1fce06293164f8d -n sad_dijkstra -r [...]
3236 3235 /usr/bin/runc --systemd-cgroup
3242 3241 /usr/bin/runc init
3252 3190 /usr/bin/runc start 25320a1e64226351a66056671a5f0c8c382204b3ea183d69d1fce06293164f8d
3245 3244 sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31822530podmanrun-it--rmbusybox
31883187/usr/sbin/iptables--version
31893187/usr/sbin/ip6tables--version
31953193/usr/libexec/cni/loopback
32003193/usr/libexec/cni/bridge
32063200/usr/libexec/cni/host-local
32123200/usr/sbin/iptables--version
32133200/usr/sbin/iptables-tnat-S--wait
32143200/usr/sbin/iptables-tnat-NCNI-d286860d1f2c10088f58c4fa--wait
32153200/usr/sbin/iptables-tnat-CCNI-d286860d1f2c10088f58c4fa-d10.88.0.4/16-jACCEPT[...]
32163200/usr/sbin/iptables-tnat-ACNI-d286860d1f2c10088f58c4fa-d10.88.0.4/16-jACCEPT[...]
32173194/usr/lib/systemd/systemd-sysctl--prefix=/net/ipv4/conf/vethaec894ac--prefix=/net/ipv4/neigh/vethaec894ac--prefix=/net/ipv6/conf/vethaec894ac--prefix=/net/ipv6/neigh/vethaec894ac
32183200/usr/sbin/iptables-tnat-CCNI-d286860d1f2c10088f58c4fa!-d224.0.0.0/4-j[...]
32193200/usr/sbin/iptables-tnat-ACNI-d286860d1f2c10088f58c4fa!-d224.0.0.0/4-j[...]
32203200/usr/sbin/iptables-tnat-CPOSTROUTING-s10.88.0.4-jCNI-d286860d1f2c10088f58c4fa[...]
32213200/usr/sbin/iptables-tnat-APOSTROUTING-s10.88.0.4-jCNI-d286860d1f2c10088f58c4fa[...]
32223190/usr/libexec/cni/portmap
32263190/usr/sbin/iptables-tfilter-S--wait
32273190/usr/sbin/iptables-tfilter-S--wait
32283190/usr/sbin/iptables-tfilter-CFORWARD-mcomment--commentCNIfirewallpluginrules[...]
32293190/usr/sbin/iptables-tfilter-CCNI-FORWARD-mcomment--commentCNIfirewallpluginrules[...]
32303190/usr/sbin/iptables-tfilter-CCNI-FORWARD-d10.88.0.4/32-mconntrack[...]
32313190/usr/sbin/iptables-tfilter-ACNI-FORWARD-d10.88.0.4/32-mconntrack[...]
32323190/usr/sbin/iptables-tfilter-CCNI-FORWARD-s10.88.0.4/32-jACCEPT[...]
32333190/usr/sbin/iptables-tfilter-ACNI-FORWARD-s10.88.0.4/32-jACCEPT[...]
32343191/usr/libexec/podman/conmon-s-c25320a1e64226351a66056671a5f0c8c382204b3ea183d69d1fce06293164f8d-u25320a1e64226351a66056671a5f0c8c382204b3ea183d69d1fce06293164f8d-nsad_dijkstra-r[...]
32363235/usr/bin/runc--systemd-cgroup
32423241/usr/bin/runcinit
32523190/usr/bin/runcstart25320a1e64226351a66056671a5f0c8c382204b3ea183d69d1fce06293164f8d
32453244sh
首先,准备网络环境,通过iptables以及 containernetworking-plugins 实现
然后,通过conmon来借助runc启动容器进程
通过podman info 了解podman:
[root@docker ~]# podman info
host:
BuildahVersion: 1.9.0
Conmon:
package: podman-1.4.4-4.el7.centos.x86_64
path: /usr/libexec/podman/conmon
version: 'conmon version 0.3.0, commit: unknown'
Distribution:
distribution: '"centos"'
version: "7"
MemFree: 81936384
MemTotal: 1567813632
OCIRuntime:
package: runc-1.0.0-65.rc8.el7.centos.x86_64
path: /usr/bin/runc
version: 'runc version spec: 1.0.1-dev'
SwapFree: 3111645184
SwapTotal: 3221221376
arch: amd64
cpus: 1
hostname: docker
kernel: 3.10.0-957.1.3.el7.x86_64
os: linux
rootless: false
uptime: 216h 45m 40.51s (Approximately 9.00 days)
registries:
blocked: null
insecure: null
search:
- registry.access.redhat.com
- docker.io
- registry.fedoraproject.org
- quay.io
- registry.centos.org
store:
ConfigFile: /etc/containers/storage.conf
ContainerStore:
number: 1
GraphDriverName: overlay
GraphOptions: null
GraphRoot: /var/lib/containers/storage
GraphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
ImageStore:
number: 1
RunRoot: /var/run/containers/storage
VolumePath: /var/lib/containers/storage/volumes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
[root@docker~]# podman info
host:
BuildahVersion:1.9.0
Conmon:
package:podman-1.4.4-4.el7.centos.x86_64
path:/usr/libexec/podman/conmon
version:'conmon version 0.3.0, commit: unknown'
Distribution:
distribution:'"centos"'
version:"7"
MemFree:81936384
MemTotal:1567813632
OCIRuntime:
package:runc-1.0.0-65.rc8.el7.centos.x86_64
path:/usr/bin/runc
version:'runc version spec: 1.0.1-dev'
SwapFree:3111645184
SwapTotal:3221221376
arch:amd64
cpus:1
hostname:docker
kernel:3.10.0-957.1.3.el7.x86_64
os:linux
rootless:false
uptime:216h45m40.51s(Approximately9.00days)
registries:
blocked:null
insecure:null
search:
-registry.access.redhat.com
-docker.io
-registry.fedoraproject.org
-quay.io
-registry.centos.org
store:
ConfigFile:/etc/containers/storage.conf
ContainerStore:
number:1
GraphDriverName:overlay
GraphOptions:null
GraphRoot:/var/lib/containers/storage
GraphStatus:
BackingFilesystem:xfs
NativeOverlayDiff:"true"
Supportsd_type:"true"
Usingmetacopy:"false"
ImageStore:
number:1
RunRoot:/var/run/containers/storage
VolumePath:/var/lib/containers/storage/volumes
这里显示了buildah的版本号,podman和buildah是什么关系?buildah是制作镜像用的,应该是可以单独使用的,但是使用podman构建镜像的时候并没有调用buildah进程,难道编译到podman进程里面了?(事实却是如此:Podman uses Buildah’s golang API and can be installed independently from Buildah),参考:https://github.com/containers/libpod
虽然buidah也有run操作,也要容器的概念,但是这些和podman是不同的,buildah的run相当于dockerfile中的RUN,而容器也是一个短暂的状态
conmon:
registries: 允许有多个registry
storage
存储驱动: overlay,docker已经默认overlay2了,podman为啥还不支持overlay2?
存储位置:/var/lib/containers/storage
podman远程连接
目前所有发行版并不带有该功能,通过varlink来实现的,原本只listen本地的unix socket,远程连接需要先走ssh通道,话说这个也无可厚非
Rootless
需要使用crun作为运行时,而不是runc,因为需要cgroup v2,runc不支持cgroup v2
Skopeo
一个管理镜像仓库的工具
容器迁移
虽然可以设置一个检查点,保存到文件后,从另外一个机器上restore后,继续运行,但是,该模式从网络的角度来看,等待时间太长,或者根本就是中断的,而OpenStack中虚拟机的热迁移基本是无感知的;
测试发现,podman的checkpoint功能完成export功能都很难,尚未测试成功; 另外,如果容器中有僵尸进程,基本是export不了的
381
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
