root用户配置容器服务自启动
//拉一个官方的nginx镜像
[root@localhost ~]# podman pull docker.io/library/nginx
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 881ff011f1c9 done
Copying blob e5ae68f74026 done
Copying blob ed835de16acd done
Copying blob 77700c52c969 done
Copying blob 44be98c0fab6 done
Copying blob 21e0df283cd6 done
Copying config f652ca386e done
Writing manifest to image destination
Storing signatures
f652ca386ed135a4cbe356333e08ef0816f81b2ac8d0619af01e2b256837ed3e
[root@localhost ~]# podman create --name nginx docker.io/library/nginx
87d4eec70ef3d61864899dd1391c31e5408d4d845f887e202ed6442e1b60eafc
[root@localhost ~]# docker ps -a
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
87d4eec70ef3 docker.io/library/nginx:latest nginx -g daemon o... 4 seconds ago Created nginx
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
87d4eec70ef3 docker.io/library/nginx:latest nginx -g daemon o... 8 minutes ago Created nginx
//--new 在重新启动后会删除原来容器并在启动时创建新的
[root@localhost ~]# podman generate systemd --new --files --name 87d4eec70ef3
/root/container-nginx.service
[root@localhost ~]# ls
anaconda-ks.cfg container-nginx.service
[root@localhost ~]# cp container-nginx.service /etc/systemd/system
[root@localhost ~]# systemctl enable container-nginx
Created symlink /etc/systemd/system/multi-user.target.wants/container-nginx.service → /etc/systemd/system/container-nginx.service.
Created symlink /etc/systemd/system/default.target.wants/container-nginx.service → /etc/systemd/system/container-nginx.service.
[root@localhost ~]# systemctl start container-nginx
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c322750f3952 docker.io/library/nginx:latest nginx -g daemon o... 5 seconds ago Up 6 seconds ago nginx
[root@localhost ~]# systemctl stop container-nginx
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# systemctl start container-nginx
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2b90c115c4de docker.io/library/nginx:latest nginx -g daemon o... 1 second ago Up 2 seconds ago nginx
//重启查看状态
[root@localhost ~]# reboot
连接断开
连接成功
Last login: Tue Dec 14 19:26:18 2021 from 192.168.216.1
[root@localhost ~]# systemctl status container-nginx
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/etc/systemd/system/container-nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-12-14 19:27:13 CST; 26s ago
Docs: man:podman-generate-systemd(1)
Process: 1152 ExecStartPre=/bin/rm -f /run/container-nginx.service.ctr-id (code=exited, status=0/SUCCESS)
Main PID: 1436 (conmon)
Tasks: 3 (limit: 11208)
Memory: 77.1M
CGroup: /system.slice/container-nginx.service
├─1367 /usr/bin/fuse-overlayfs -o metacopy=on,lowerdir=/var/lib/containers/storage/overlay/l/K4LM77ZMOXBOGZYZUAHCT42UIJ:/var/lib/containers/storage/overlay/l/FFCXQTA36YMYT75A5MS>
└─1436 /usr/bin/conmon --api-version 1 -c 8422d2584f2bf9c57346692af7917122974284cee7b380cdb10d45cd2640d134 -u 8422d2584f2bf9c57346692af7917122974284cee7b380cdb10d45cd2640d134 -r>
12月 14 19:27:13 localhost.localdomain systemd[1]: Starting Podman container-nginx.service...
12月 14 19:27:13 localhost.localdomain systemd[1]: Started Podman container-nginx.service.
12月 14 19:27:13 localhost.localdomain podman[1156]: 8422d2584f2bf9c57346692af7917122974284cee7b380cdb10d45cd2640d134
//容器也在正常运行
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8422d2584f2b docker.io/library/nginx:latest nginx -g daemon o... 56 seconds ago Up 57 seconds ago nginx
普通用户Podman容器服务自启动
podman支持通过为无根(rootless) 容器创建systemd user unit文件,可使用systemctl命令来管理它们,类似常规服务,例如:当将数据库或web服务器等服务部署为容器时,通常希望这些容器与服务器一起自动启动,通过enable这些服务,可以确保容器在主机启动时启动。同时容器以"无根”模式运行,可以非特权用户帐户管理这些服务,以提高安全性。
systemd可以管理user service,普通用户可以为自己的服务创建unit文件,并使用systemctl命令管理这些服务当用户服务类型为非根用户时,通过文本或图形控制台或使用SSH打开第一个会话时, 该服务将自动启动。当关闭最后一次会话时,服务将停止这种行为与系统服务不同,系统服务在系统启动时启动,在系统关闭时停止。但也可以更改此默认行为,通过运行loginctl enable-linger命令强制service在服务器启动时启动并在关闭时停止。逆向操作,请使用loginctl disable-linger命令查看当前状态,使用loginctl show-user username命令。
//创建~/.config/systemd/user/目录来存储unit文件
[tom@localhost ~]$ mkdir -p .config/systemd/user/
[tom@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest ffe9d497c324 6 days ago 1.46 MB
docker.io/library/nginx latest f652ca386ed1 12 days ago 146 MB
[tom@localhost ~]$ podman run -d --name web docker.io/library/nginx
ede3695f3e7f26597592f5abcd6896f48cdbff0565dcf6e32d190e383b1bf666
//利用容器是是生成service文件移到创建的目录下
[tom@localhost ~]$ podman generate systemd --name web --files
/home/tom/container-web.service
[tom@localhost ~]$ ls
container-web.service
[tom@localhost ~]$ mv container-web.service .config/systemd/user/
[tom@localhost ~]$ systemctl --user daemon-reload
[tom@localhost ~]$ systemctl --user enable --now container-web
Created symlink /home/tom/.config/systemd/user/multi-user.target.wants/container-web.service → /home/tom/.config/systemd/user/container-web.service.
Created symlink /home/tom/.config/systemd/user/default.target.wants/container-web.service → /home/tom/.config/systemd/user/container-web.service.
[tom@localhost ~]$ systemctl --user start container-web
[tom@localhost ~]$ systemctl --user status container-web
● container-web.service - Podman container-web.service
Loaded: loaded (/home/tom/.config/systemd/user/container-web.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-12-15 02:02:27 CST; 24s ago
Docs: man:podman-generate-systemd(1)
Process: 262820 ExecStopPost=/usr/bin/podman stop -t 10 web (code=exited, status=0/SUCCESS)
Process: 262990 ExecStart=/usr/bin/podman start web (code=exited, status=0/SUCCESS)
Main PID: 263055 (conmon)
CGroup: /user.slice/user-1000.slice/user@1000.service/container-web.service
podman generate systemd命令使用一个容器作为模型来创建配置文件。
podman generate systemd的选项:
--name container_name: name选项指定容器的名称,用作模板来生成unit文件。Podman 还使用该名称来生成unit文件的名称: containers-container_name.service
--files: files 选项指示Podman在当前目录中生成unit文件。如没有这个选项,Podman将在标准输出中显示该文件
--new: new选项指示Podman配置systemd服务,以便在服务启动时创建容器,并在服务停止时删除。在这种模式下,容器是临时的,通常需要持久存储来保存数据。没有-new选项,Podman 配置服务启动和停止现有的容器,而不删除。
使用systemctl命令管理的容器由systemd控制。systemd监视容器状态,并在它们失败时重新启动它们。不要使用podman命令来启动或停止这些容器。这样做可能会干扰systemd监视。
//扩展
[tom@localhost ~]$ podman run -d --name web docker.io/library/nginx
b6900e9df157eaba1a2e5882811368c5f772e5e7bca44819815e2ab3db2e8eb7
[tom@localhost ~]$ systemctl --user start container-web.service
Job for container-web.service failed because the service did not take the steps required by its unit configuration.
See "systemctl --user status container-web.service" and "journalctl --user -xe" for details.
[tom@localhost ~]$ systemctl --user start container-web.service
Job for container-web.service failed because a timeout was exceeded.
See "systemctl --user status container-web.service" and "journalctl --user -xe" for details.
[tom@localhost ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b6900e9df157 docker.io/library/nginx:latest nginx -g daemon o... 2 minutes ago Up 44 seconds ago web
[tom@localhost ~]$ systemctl --user status container-web.service
● container-web.service - Podman container-web.service
Loaded: loaded (/home/tom/.config/systemd/user/container-web.service; enabled; vendor preset: enabled)
Active: activating (start) since Wed 2021-12-15 02:20:14 CST; 58s ago
Docs: man:podman-generate-systemd(1)
Process: 44909 ExecStopPost=/usr/bin/podman stop -t 10 web (code=exited, status=0/SUCCESS)
Process: 44988 ExecStart=/usr/bin/podman start web (code=exited, status=0/SUCCESS)
CGroup: /user.slice/user-1000.slice/user@1000.service/container-web.service
├─45051 /usr/bin/fuse-overlayfs -o ,lowerdir=/home/tom/.local/share/containers/storage/overlay/l/E36FRUKMGJHH4436BMNZNAQRU2:/home/tom/.local/share/containers/storage/overlay/l/W>
├─45055 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/cni-051c16a0-58aa-9226-264>
├─45074 /usr/bin/conmon --api-version 1 -c b6900e9df157eaba1a2e5882811368c5f772e5e7bca44819815e2ab3db2e8eb7 -u b6900e9df157eaba1a2e5882811368c5f772e5e7bca44819815e2ab3db2e8eb7 ->
├─45077 nginx: master process nginx -g daemon off;
├─45096 nginx: worker process
└─45097 nginx: worker process
[tom@localhost ~]$ systemctl --user stop container-web.service
[tom@localhost ~]$ systemctl --user status container-web.service
● container-web.service - Podman container-web.service
Loaded: loaded (/home/tom/.config/systemd/user/container-web.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Wed 2021-12-15 02:24:34 CST; 4s ago
Docs: man:podman-generate-systemd(1)
Process: 61670 ExecStopPost=/usr/bin/podman stop -t 10 web (code=exited, status=0/SUCCESS)
Process: 56753 ExecStart=/usr/bin/podman start web (code=exited, status=0/SUCCESS)
[tom@localhost ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b6900e9df157 docker.io/library/nginx:latest nginx -g daemon o... 6 minutes ago Exited (0) 13 seconds ago web
//开机自启正常
[root@localhost ~]# reboot
连接断开
连接成功
Last login: Wed Dec 15 02:09:36 2021 from 192.168.216.1
[root@localhost ~]# chown -R tom /run/user/0
[root@localhost ~]# ssh tom@192.168.216.200
tom@192.168.216.200's password:
Last login: Wed Dec 15 02:09:03 2021 from 192.168.216.200
[tom@localhost ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b6900e9df157 docker.io/library/nginx:latest nginx -g daemon o... 11 minutes ago Up 4 seconds ago web
删除原来的容器,然后创建与原来名字相同的容器,可以利用原来的service文件启停,当时状态由running变为start
podman网络
rootfull和rootless容器网络之间的差异
podman容器联网的指导因素之一将是容器是否由root用户运行。这是因为非特权用户无法在主机上创建网络接口。因此,对于rootfull容器,默认网络模式是使用容器网络接口(CNI)插件,特别是桥接插件。对于rootless,默认的网络模式是slir4netns。由于权限有限,slirnetns缺少CNI组网的一些功能;例如,slirp4netns无法为容器提供可路由的IP地址。cni是容器网络接口
防火墙
防火墙的作用不会影响网络的设置和配置,但会影响这些网络上的流量。最明显的是容器主机的入站网络流量,这些流量通常通过端口映射传递到容器上。根据防火墙的实现,我们观察到防火墙端口由于运行带有端口映射的容器(例如)而自动打开。如果容器流量似乎无法正常工作,请检查防火墙并允许容器正在使用的端口号上的流量。一个常见的问题是重新加载防火墙会删除cni iptables规则,从而导致rootful容器的网络连接丢失。podman v3提供了podman network reload命令来恢复它而无需重新启动容器。
//启动2容器
[root@localhost ~]# podman run -itd --name test docker.io/library/busybox:latest /bin/sh
012fcfaee4a5441186e86f8194f8165ce05ab0bc6f9e9752bb37830c2fb72877
[root@localhost ~]# podman run -itd --name test1 docker.io/library/busybox:latest /bin/sh
fe1d8757a02a2a6f56312878f1e6313b06a57ed59df89d580b87a53c35536505
//取一下ip
[root@localhost ~]# podman inspect test1 |grep IPAddress
"IPAddress": "10.88.0.5",
"IPAddress": "10.88.0.5",
[root@localhost ~]# podman inspect test |grep IPAddress
"IPAddress": "10.88.0.4",
"IPAddress": "10.88.0.4",
//ping一下
[root@localhost ~]# podman exec -it test /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether a6:c0:36:b1:67:89 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.4/16 brd 10.88.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::a4c0:36ff:feb1:6789/64 scope link
valid_lft forever preferred_lft forever
/ # ping 10.88.0.5
PING 10.88.0.5 (10.88.0.5): 56 data bytes
64 bytes from 10.88.0.5: seq=0 ttl=64 time=0.054 ms
64 bytes from 10.88.0.5: seq=1 ttl=64 time=0.092 ms
64 bytes from 10.88.0.5: seq=2 ttl=64 time=0.090 ms
cni-podman0类似于docker0详情见官方文档
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
012fcfaee4a5 docker.io/library/busybox:latest /bin/sh 4 minutes ago Up 4 minutes ago test
fe1d8757a02a docker.io/library/busybox:latest /bin/sh 4 minutes ago Up 4 minutes ago test1
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:b8:7a:28 brd ff:ff:ff:ff:ff:ff
inet 192.168.216.200/24 brd 192.168.216.255 scope global noprefixroute ens32
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:feb8:7a28/64 scope link
valid_lft forever preferred_lft forever
3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether a6:cd:d0:a8:04:45 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::a4cd:d0ff:fea8:445/64 scope link
valid_lft forever preferred_lft forever
6: vethf2fd1ef3@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether 02:b9:7c:13:ee:87 brd ff:ff:ff:ff:ff:ff link-netns cni-5143224d-58db-e3d1-b144-6ecdc5045b50
inet6 fe80::b9:7cff:fe13:ee87/64 scope link
valid_lft forever preferred_lft forever
7: veth576fc012@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether ce:b4:93:b9:fe:66 brd ff:ff:ff:ff:ff:ff link-netns cni-3e38e6f0-c5a5-c179-04eb-35e330d19531
inet6 fe80::ccb4:93ff:feb9:fe66/64 scope link
valid_lft forever preferred_lft forever
停掉一个容器后网卡少了一个,证明容器与网卡是对应的
[root@localhost ~]# podman stop test
test
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
012fcfaee4a5 docker.io/library/busybox:latest /bin/sh 8 minutes ago Exited (137) 5 seconds ago test
fe1d8757a02a docker.io/library/busybox:latest /bin/sh 8 minutes ago Up 8 minutes ago test1
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:b8:7a:28 brd ff:ff:ff:ff:ff:ff
inet 192.168.216.200/24 brd 192.168.216.255 scope global noprefixroute ens32
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:feb8:7a28/64 scope link
valid_lft forever preferred_lft forever
3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether a6:cd:d0:a8:04:45 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::a4cd:d0ff:fea8:445/64 scope link
valid_lft forever preferred_lft forever
7: veth576fc012@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether ce:b4:93:b9:fe:66 brd ff:ff:ff:ff:ff:ff link-netns cni-3e38e6f0-c5a5-c179-04eb-35e330d19531
inet6 fe80::ccb4:93ff:feb9:fe66/64 scope link
valid_lft forever preferred_lft forever
//启一个nginx容器
[root@localhost ~]# podman run --name web -itd -p 80:80 docker.io/library/nginx
7d48e4ec629626835d30dada4f3ef59ed5b0bd8273530537f697793d1cbf5291
[root@localhost ~]# podman run --name web -itd -p 80:80 docker.io/library/nginx
7d48e4ec629626835d30dada4f3ef59ed5b0bd8273530537f697793d1cbf5291
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 124 packets, 9628 bytes)
pkts bytes target prot opt in out source destination
7 364 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 4 packets, 208 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 137 packets, 10344 bytes)
pkts bytes target prot opt in out source destination
9 660 CNI-HOSTPORT-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd requiring masquerade */
0 0 CNI-ffdf9596f40c2ba0142a001c all -- * * 10.88.0.5 0.0.0.0/0 /* name: "podman" id: "fe1d8757a02a2a6f56312878f1e6313b06a57ed59df89d580b87a53c35536505" */
0 0 CNI-19b1da9d02e54ed54c88e7ab all -- * * 10.88.0.6 0.0.0.0/0 /* name: "podman" id: "7d48e4ec629626835d30dada4f3ef59ed5b0bd8273530537f697793d1cbf5291" */
Chain OUTPUT (policy ACCEPT 136 packets, 10292 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain CNI-ffdf9596f40c2ba0142a001c (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 10.88.0.0/16 /* name: "podman" id: "fe1d8757a02a2a6f56312878f1e6313b06a57ed59df89d580b87a53c35536505" */
0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "podman" id: "fe1d8757a02a2a6f56312878f1e6313b06a57ed59df89d580b87a53c35536505" */
Chain CNI-19b1da9d02e54ed54c88e7ab (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 10.88.0.0/16 /* name: "podman" id: "7d48e4ec629626835d30dada4f3ef59ed5b0bd8273530537f697793d1cbf5291" */
0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "podman" id: "7d48e4ec629626835d30dada4f3ef59ed5b0bd8273530537f697793d1cbf5291" */
Chain CNI-HOSTPORT-SETMARK (2 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd masquerade mark */ MARK or 0x2000
Chain CNI-HOSTPORT-MASQ (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000/0x2000
Chain CNI-HOSTPORT-DNAT (2 references)
pkts bytes target prot opt in out source destination
1 52 CNI-DN-19b1da9d02e54ed54c88e tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "podman" id: "7d48e4ec629626835d30dada4f3ef59ed5b0bd8273530537f697793d1cbf5291" */ multiport dports 80
Chain CNI-DN-19b1da9d02e54ed54c88e (1 references)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.88.0.0/16 0.0.0.0/0 tcp dpt:80
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80
1 52 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.88.0.6:80
[root@localhost ~]# podman inspect web |grep IPAddress
"IPAddress": "10.88.0.6",
"IPAddress": "10.88.0.6",
//创建容器加端口映射后,自动添加了防火墙规则
[root@localhost ~]# curl 10.88.0.6
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
//清空防火墙规则
[root@localhost ~]# iptables -t nat -F
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 130 packets, 10096 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 4 packets, 208 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 150 packets, 11316 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 149 packets, 11264 bytes)
pkts bytes target prot opt in out source destination
Chain CNI-ffdf9596f40c2ba0142a001c (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-19b1da9d02e54ed54c88e7ab (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-SETMARK (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-MASQ (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-DNAT (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-DN-19b1da9d02e54ed54c88e (0 references)
pkts bytes target prot opt in out source destination
清空规则后无法访问
//重启容器,规则重新添加
[root@localhost ~]# podman restart -l //-l表示最近的
7d48e4ec629626835d30dada4f3ef59ed5b0bd8273530537f697793d1cbf5291
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 181 packets, 12826 bytes)
pkts bytes target prot opt in out source destination
2 104 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 4 packets, 208 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 164 packets, 12204 bytes)
pkts bytes target prot opt in out source destination
2 104 CNI-HOSTPORT-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd requiring masquerade */
0 0 CNI-19b1da9d02e54ed54c88e7ab all -- * * 10.88.0.7 0.0.0.0/0 /* name: "podman" id: "7d48e4ec629626835d30dada4f3ef59ed5b0bd8273530537f697793d1cbf5291" */
Chain OUTPUT (policy ACCEPT 161 packets, 12048 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain CNI-ffdf9596f40c2ba0142a001c (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-SETMARK (2 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd masquerade mark */ MARK or 0x2000
Chain CNI-HOSTPORT-MASQ (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000/0x2000
Chain CNI-HOSTPORT-DNAT (2 references)
pkts bytes target prot opt in out source destination
2 104 CNI-DN-19b1da9d02e54ed54c88e tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "podman" id: "7d48e4ec629626835d30dada4f3ef59ed5b0bd8273530537f697793d1cbf5291" */ multiport dports 80
Chain CNI-19b1da9d02e54ed54c88e7ab (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 10.88.0.0/16 /* name: "podman" id: "7d48e4ec629626835d30dada4f3ef59ed5b0bd8273530537f697793d1cbf5291" */
0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "podman" id: "7d48e4ec629626835d30dada4f3ef59ed5b0bd8273530537f697793d1cbf5291" */
Chain CNI-DN-19b1da9d02e54ed54c88e (1 references)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.88.0.0/16 0.0.0.0/0 tcp dpt:80
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80
2 104 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.88.0.7:80
配置文件路径
CNI 网络配置目录的路径 /etc/cni/net.d //可以在此文件/etc/cni/net.d/87-podman.conflist修改网段以及网络的模式
/usr/share/containers/containers.conf //在此文件的[engine] 表的 env 设置环境变量,可以用来设置container.conf 文件的默认位置,设置registries.conf 文件的默认位置等。
podman常用命令
| 常用命令 | 作用 |
|---|---|
| podman attach | 附加到正在运行的容器。 |
| podman auto update | 根据其自动更新策略自动更新容器 |
| podman build | 使用 Containerfile 构建容器映像。 |
| podman commit | 根据更改的容器创建新图像。 |
| podman completion | 生成 shell 完成脚本 |
| podman container | 管理容器。 |
| podman cp | 在容器和本地文件系统之间复制文件/文件夹。 |
| podman create | 创建一个新容器。 |
| podman diff | 检查容器或映像文件系统上的更改。 |
| podman events | 监控 Podman 事件 |
| podman exec | 在正在运行的容器中执行命令。 |
| podman export | 将容器的文件系统内容导出为 tar 存档。 |
| podman generate | 基于容器、Pod 或卷生成结构化数据。 |
| podman healthcheck | 管理容器的健康检查 |
| podman history | 显示图像的历史记录。 |
| podman image | 管理图像。 |
| podman images | 列出本地存储中的图像。 |
| podman import | 导入 tarball 并将其另存为文件系统映像。 |
| podman info | 显示 Podman 相关的系统信息. |
| podman init | 初始化一个或多个容器 |
| podman inspect | 显示容器、镜像、卷、网络或 pod 的配置。 |
| podman kill | 杀死一个或多个容器中的主进程。 |
| podman load | 将 tar 存档中的图像加载到容器存储中。 |
| podman login | 登录到容器注册表。 |
| podman logout | 注销容器注册表。 |
| podman logs | 显示一个或多个容器的日志。 |
| podman machine | 管理 Podman 的虚拟机 |
| podman manifest | 创建和操作清单列表和图像索引。 |
| podman mount | 挂载一个工作容器的根文件系统。 |
| podman network | 管理 Podman CNI 网络。 |
| podman pause | 暂停一个或多个容器。 |
| podman play | 根据结构化输入文件播放容器、Pod 或卷。 |
| podman pod | 容器组的管理工具,称为 pod。 |
| podman port | 列出容器的端口映射。 |
| podman ps | 打印出有关容器的信息。 |
| podman pull | 从注册表中拉取镜像。 |
| podman push | 将镜像、清单列表或镜像索引从本地存储推送到其他地方。 |
| podman rename | 重命名现有容器。 |
| podman restart | 重启一个或多个容器。 |
| podman rm | 移除一个或多个容器。 |
| podman rmi | 删除一个或多个本地存储的镜像。 |
| podman run | 在新容器中运行命令。 |
| podman save | 将镜像保存到存档。 |
| podman search | 在注册表中搜索图像。 |
| podman secret | 管理 podman 机密。 |
| podman start | 启动一个或多个容器。 |
| podman stats | 显示一个或多个容器的资源使用统计的实时流。 |
| podman stop | 停止一个或多个正在运行的容器。 |
| podman system | 管理 podman。 |
| podman tag | 向本地镜像添加附加名称。 |
| podman top | 显示容器的运行进程。 |
| podman unmount | 卸载工作容器的根文件系统。 |
| podman unpause | 取消暂停一个或多个容器。 |
| podman unshare | 在修改后的用户命名空间内运行命令。 |
| podman untag | 从本地存储的图像中删除一个或多个名称。 |
| podman version | 显示 Podman 版本信息。 |
| podman volume | 简单的卷管理工具。 |
| podman wait | 等待一个或多个容器停止并打印其退出代码。 |
//帮助文档
[root@localhost ~]# podman --help
Manage pods, containers and images
Usage:
podman [options] [command]
Available Commands:
attach Attach to a running container
auto-update Auto update containers according to their auto-update policy
build Build an image using instructions from Containerfiles
commit Create new image based on the changed container
container Manage containers
cp Copy files/folders between a container and the local filesystem
create Create but do not start a container
diff Display the changes to the object's file system
events Show podman events
exec Run a process in a running container
export Export container's filesystem contents as a tar archive
generate Generate structured data based on containers, pods or volumes.
healthcheck Manage health checks on containers
help Help about any command
history Show history of a specified image
image Manage images
images List images in local storage
import Import a tarball to create a filesystem image
info Display podman system information
init Initialize one or more containers
inspect Display the configuration of object denoted by ID
kill Kill one or more running containers with a specific signal
load Load image(s) from a tar archive
login Login to a container registry
logout Logout of a container registry
logs Fetch the logs of one or more containers
machine Manage a virtual machine
manifest Manipulate manifest lists and image indexes
mount Mount a working container's root filesystem
network Manage networks
pause Pause all the processes in one or more containers
play Play containers, pods or volumes from a structured file.
pod Manage pods
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image from a registry
push Push an image to a specified destination
rename Rename an existing container
restart Restart one or more containers
rm Remove one or more containers
rmi Removes one or more images from local storage
run Run a command in a new container
save Save image(s) to an archive
search Search registry for image
secret Manage secrets
start Start one or more containers
stats Display a live stream of container resource usage statistics
stop Stop one or more containers
system Manage podman
tag Add an additional name to a local image
top Display the running processes of a container
unmount Unmounts working container's root filesystem
unpause Unpause the processes in one or more containers
unshare Run a command in a modified user namespace
untag Remove a name from a local image
version Display the Podman Version Information
volume Manage volumes
wait Block on one or more containers
Options:
--cgroup-manager string Cgroup manager to use ("cgroupfs"|"systemd") (default "systemd")
--cni-config-dir string Path of the configuration directory for CNI networks (default "/usr/libexec/cni")
--conmon string Path of the conmon binary
-c, --connection string Connection to use for remote Podman service
--events-backend string Events backend to use ("file"|"journald"|"none") (default "file")
--help Help for podman
--hooks-dir strings Set the OCI hooks directory path (may be set multiple times) (default [/usr/share/containers/oci/hooks.d])
--identity string path to SSH identity file, (CONTAINER_SSHKEY)
--log-level string Log messages above specified level (trace, debug, info, warn, warning, error, fatal, panic) (default "warn")
--namespace string Set the libpod namespace, used to create separate views of the containers and pods on the system
--network-cmd-path string Path to the command for configuring the network
-r, --remote Access remote Podman service (default false)
--root string Path to the root directory in which data, including images, is stored
--runroot string Path to the 'run directory' where all state information is stored
--runtime string Path to the OCI-compatible binary used to run containers, default is /usr/bin/runc
--runtime-flag stringArray add global flags for the container runtime
--storage-driver string Select which storage driver is used to manage storage of images and containers (default is overlay)
--storage-opt stringArray Used to pass an option to the storage driver
--syslog Output logging information to syslog as well as the console (default false)
--tmpdir string Path to the tmp directory for libpod state content.
Note: use the environment variable 'TMPDIR' to change the temporary storage location for container images, '/var/tmp'.
--url string URL to access Podman service (CONTAINER_HOST) (default "unix:/run/podman/podman.sock")
-v, --version version for podman
[root@localhost ~]# man podman
COMMANDS
┌──────────────────────┬──────────────────────────────────────────────────────────────┐
│Command │ Description │
├──────────────────────┼──────────────────────────────────────────────────────────────┤
│podman-attach(1) │ Attach to a running container. │
├──────────────────────┼──────────────────────────────────────────────────────────────┤
│podman-auto-update(1) │ Auto update containers according to their auto-update policy │
├──────────────────────┼──────────────────────────────────────────────────────────────┤
│podman-build(1) │ Build a container image using a Containerfile. │
├──────────────────────┼──────────────────────────────────────────────────────────────┤
│podman-commit(1) │ Create new image based on the changed container. │
├──────────────────────┼──────────────────────────────────────────────────────────────┤
│podman-completion(1) │ Generate shell completion scripts │
├──────────────────────┼──────────────────────────────────────────────────────────────┤
│podman-container(1) │ Manage containers. │
├──────────────────────┼──────────────────────────────────────────────────────────────┤
│podman-cp(1) │ Copy files/folders between a container and the local │
....................略
//查看详细子命令
[root@localhost ~]# man podman-pod
podman-pod(1) General Commands Manual podman-pod(1)
NAME
podman-pod - Management tool for groups of containers, called pods
SYNOPSIS
podman pod subcommand
DESCRIPTION
podman pod is a set of subcommands that manage pods, or groups of containers.
SUBCOMMANDS
┌────────┬───────────────────────┬────────────────────────────────────────────────┐
│Command │ Man Page │ Description │
├────────┼───────────────────────┼────────────────────────────────────────────────┤
│create │ podman-pod-create(1) │ Create a new pod. │
313
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
