文章目录
1 Podman简介
Podman是一个开源项目,可在大多数Linux平台上使用并开源在GitHub上。Podman是一个无守护进程的容器引擎,用于在Linux系统上开发,管理和运行Open Container Initiative(OCI)容器和容器镜像。 Podman提供了一个与Docker兼容的命令行前端,它可以简单地作为Docker cli,简单地说你可以直接添加别名:alias docker = podman来使用podman。
Podman控制下的容器可以由root用户运行,也可以由非特权用户运行。Podman管理整个容器的生态系统,其包括pod,容器,容器镜像,和使用libpod library的容器卷。Podman专注于帮助您维护和修改OCI容器镜像的所有命令和功能,例如拉取和标记。它允许您在生产环境中创建,运行和维护从这些映像创建的容器(podman官网)
2 Podman工作机制
Podman 原来是 CRI-O 项目的一部分,后来被分离成一个单独的项目叫 libpod。Podman 的使用体验和 Docker 类似,不同的是 Podman 没有 daemon。以前使用 Docker CLI 的时候,Docker CLI 会通过 gRPC API 去跟 Docker Engine 说「我要启动一个容器」,然后 Docker Engine 才会通过 OCI Container runtime(默认是 runc)来启动一个容器。这就意味着容器的进程不可能是 Docker CLI 的子进程,而是 Docker Engine 的子进程。
Podman 比较简单粗暴,它不使用 Daemon,而是直接通过 OCI runtime(默认也是 runc)来启动容器,所以容器的进程是 podman 的子进程。这比较像 Linux 的 fork/exec 模型,而 Docker 采用的是 C/S(客户端/服务器)模型。与 C/S 模型相比,fork/exec 模型有很多优势,比如:
- 系统管理员可以知道某个容器进程到底是谁启动的。
- 如果利用 cgroup 对 podman 做一些限制,那么所有创建的容器都会被限制。
- SD_NOTIFY : 如果将 podman 命令放入 systemd 单元文件中,容器进程可以通过 podman返回通知,表明服务已准备好接收任务。
- socket 激活 : 可以将连接的 socket 从 systemd 传递到 podman,并传递到容器进程以便使用它们。
3 Podman与Docker的区别
podman(Pod Manager)是一个由RedHat公司推出的容器管理工具,它的定位就是docker的替代品,在使用上与docker的体验类似。podman源于CRI-O项目,可以直接访问OCI的实现(如runC),流程比docker要短
二者主要的区别在于,podman是一个开源的产品;而docker已经是商业化的产品
3.1 podman和Docker的主要区别是什么
- dockers在实现CRI的时候,它需要一个守护进程,其次需要以root运行,因此这也带来了安全隐患。
- podman不需要守护程序,也不需要root用户运行,从逻辑架构上,比docker更加合理。
- 在docker的运行体系中,需要多个daemon才能调用到OCI的实现RunC。
- 在容器管理的链路中,Docker Engine的实现就是dockerd
daemon,它在linux中需要以root运行,dockerd调用containerd,containerd调用containerd-shim,然后才能调用runC。顾名思义shim起的作用也就是“垫片”,避免父进程退出影响容器的运训 - podman直接调用OCI
runtime(runC),通过common作为容器进程的管理工具,但不需要dockerd这种以root身份运行的守护进程 - 在podman体系中,有个称之为common的守护进程,其运行路径通常是/usr/libexec/podman/conmon,它是各个容器进程的父进程,每个容器各有一个,common的父则通常是1号进程。podman中的common其实相当于docker体系中的containerd-shim。
下图常用来描述podman与docker的区别
图中所体现的事情是,podman不需要守护进程,而dorker需要守护进程。在这个图的示意中,dorcker的containerd-shim与podman的common被归在Container一层
3.2 podman的使用与docker有什么区别
- podman的定位也是与docker兼容,因此在使用上面尽量靠近docker。在使用方面,可以分成两个方面来说,一是系统构建者的角度,二是使用者的角度。
- 在系统构建者方面,用podman的默认软件,与docker的区别不大,只是在进程模型、进程关系方面有所区别。如果习惯了docker几个关联进程的调试方法,在podman中则需要适应。可以通过pstree命令查看进程的树状结构。总体来看,podman比docker要简单。由于podman比docker少了一层daemon,因此重启的机制也就不同了。
- 在使用者方面,podman与docker的命令基本兼容,都包括容器运行时(run/start/kill/ps/inspect),本地镜像(images/rmi/build)、镜像仓库(login/pull/push)等几个方面。因此podman的命令行工具与docker类似,比如构建镜像、启停容器等。甚至可以通过alias
docker=podman可以进行替换。因此,即便使用了podman,仍然可以使用docker.io作为镜像仓库,这也是兼容性最关键的部分。
下图表示docker、podman的二级命令,它们相当接近
podman相比docker也缺失了一些功能,比如不支持windows,不支持docker-compoese编排工具。显然在Kubernetes或者OpenShift体系中,这些并不重要
4 Podman部署及应用
//centos8系统中自带
[root@podman ~]# dnf -y install podman
[root@podman ~]# rpm -qa | grep podman
podman-3.4.1-3.module_el8.6.0+954+963caf36.x86_64
podman-catatonit-3.4.1-3.module_el8.6.0+954+963caf36.x86_64
//设置别名
[root@podman ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@podman ~]# docker images
-bash: docker: 未找到命令
[root@podman ~]# alias docker=podman
[root@podman ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@podman ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
4.1 podman使用帮助
要获得一些帮助并了解Podman的工作原理,您可以查看帮助文档
$ podman --help
$ podman <subcommand> --help
有关更多详细信息,您可以查看手册
$ man podman
$ man podman-<subcommand>
另请参阅Podman故障排查指南, 以查找有关如何解决常见配置错误的已知问题和提示
5 Podman常用命令
5.1 podman version(查看版本号)
[root@podman ~]# podman version
Version: 3.4.1-dev
API Version: 3.4.1-dev
Go Version: go1.16.7
Built: Tue Oct 19 12:11:42 2021
OS/Arch: linux/amd64
5.2 podman info(显示整个系统的信息)
[root@podman ~]# podman info
host:
arch: amd64
buildahVersion: 1.23.1
cgroupControllers:
- cpuset
- cpu
- cpuacct
- blkio
- memory
- devices
- freezer
- net_cls
- perf_event
- net_prio
- hugetlb
- pids
- rdma
cgroupManager: systemd
cgroupVersion: v1
conmon:
package: conmon-2.0.30-1.module_el8.6.0+944+d413f95e.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.0.30, commit: e28f6ed9f4a6f18e27f3efdab92de483806e6b9c'
cpus: 4
distribution:
distribution: '"centos"'
version: "8"
eventLogger: file
hostname: podman
......
5.3 podman search(查找镜像)
// --filter=is-official:指定查找官方版本的镜像
[root@podman ~]# podman search nginx --filter=is-official
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/nginx Official build of Nginx. 15928 [OK]
//默认查找的镜像
[root@podman ~]# podman search nginx
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
fedoraproject.org registry.fedoraproject.org/f29/nginx 0
fedoraproject.org registry.fedoraproject.org/f29/origin-nginx-router 0
redhat.com registry.access.redhat.com/ubi8/nginx-120 Platform for running nginx 1.20 or building ... 0
redhat.com registry.access.redhat.com/ubi8/nginx-118 Platform for running nginx 1.18 or building ... 0
redhat.com registry.access.redhat.com/rhscl/nginx-110-rhel7 Nginx container image that delivers an nginx... 0
redhat.com registry.access.redhat.com/rhscl/nginx-16-rhel7 Nginx 1.6 server and a reverse proxy server 0
redhat.com registry.access.redhat.com/rhscl/nginx-18-rhel7 Nginx 1.8 server and a reverse proxy server 0
redhat.com registry.access.redhat.com/rhscl/nginx-112-rhel7 Nginx is a web server and a reverse proxy se... 0
redhat.com registry.access.redhat.com/ubi7/nginx-118 Platform for running nginx 1.18 or building ... 0
redhat.com registry.access.redhat.com/rhscl/nginx-114-rhel7 Nginx is a web server and a reverse proxy se... 0
redhat.com registry.access.redhat.com/3scale-amp23/apicast-gateway 3scale's API gateway (APIcast) is an OpenRe... 0
redhat.com registry.access.redhat.com/3scale-amp20/apicast-gateway 3scale's API gateway (APIcast) is an OpenRes... 0
........
5.4 podman pull (拉取镜像)
Podman在不同的镜像管理机构中搜索。因此,建议使用完整的镜像名称来确保拉取的是你要使用的映像
[root@podman ~]# podman pull docker.io/library/nginx
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 77700c52c969 done
Copying blob 881ff011f1c9 done
Copying blob ed835de16acd done
Copying blob e5ae68f74026 done
Copying blob 21e0df283cd6 done
Writing manifest to image destination
Storing signatures
f652ca386ed135a4cbe356333e08ef0816f81b2ac8d0619af01e2b256837ed3e
//查看镜像
[root@podman ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 11 days ago 146 MB
5.5 podman run(运行容器)
[root@podman ~]# podman run -dt -p 8080:80/tcp docker.io/library/nginx
7a7ef04f9b85ef73a9d6617974fcc5d94995dc5c7da7c0e1a1d62f5214bd229b
[root@podman ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7a7ef04f9b85 docker.io/library/nginx:latest nginx -g daemon o... 19 seconds ago Up 19 seconds ago 0.0.0.0:8080->80/tcp nervous_antonelli
由于容器在分离模式下运行,由命令中的 表示,Podman将在执行命令后打印容器ID。它还添加了一个伪 tty,用于在交互式 shell 中运行任意命令。-dpodman run-t
我们使用端口转发来访问Nginx服务器。要成功运行,至少需要 slirp4netns v0.3.0
测试 nginx 容器
[root@podman ~]# curl 10.88.0.2
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
5.6 podman inspect(查看容器详细信息)
//-l 查看最新的容器信息,由于容器在无根模式下运行,因此不会为容器分配 IP 地址
…………
[root@podman ~]# podman inspect -l
"SandboxKey": "/run/netns/cni-3e4b2360-c785-2355-030f-2f99cb466dfa",
"Networks": {
"podman": {
"EndpointID": "",
"Gateway": "10.88.0.1",
"IPAddress": "10.88.0.2",
"IPPrefixLen": 16,
…………
5.7 podman logs(查看容器日志)
[root@podman ~]# podman logs -l //这里-l是最新创建的容器的意思,不然需要指定一个容器
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/12/14 08:54:10 [notice] 1#1: using the "epoll" event method
2021/12/14 08:54:10 [notice] 1#1: nginx/1.21.4
2021/12/14 08:54:10 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
2021/12/14 08:54:10 [notice] 1#1: OS: Linux 4.18.0-257.el8.x86_64
2021/12/14 08:54:10 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/12/14 08:54:10 [notice] 1#1: start worker processes
2021/12/14 08:54:10 [notice] 1#1: start worker process 31
2021/12/14 08:54:10 [notice] 1#1: start worker process 32
2021/12/14 08:54:10 [notice] 1#1: start worker process 33
2021/12/14 08:54:10 [notice] 1#1: start worker process 34
192.168.25.1 - - [14/Dec/2021:09:02:17 +0000] "GET / HTTP/1.1" 200 615 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Edg/96.0.1054.53" "-"
2021/12/14 09:02:17 [error] 31#31: *1 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 192.168.25.1, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "192.168.25.147:8080", referrer: "http://192.168.25.147:8080/"
192.168.25.1 - - [14/Dec/2021:09:02:17 +0000] "GET /favicon.ico HTTP/1.1" 404 555 "http://192.168.25.147:8080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Edg/96.0.1054.53" "-"
10.88.0.1 - - [14/Dec/2021:09:03:49 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.61.1" "-"
[root@podman ~]# podman logs 7a7ef04f9b85
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/12/14 08:54:10 [notice] 1#1: using the "epoll" event method
2021/12/14 08:54:10 [notice] 1#1: nginx/1.21.4
2021/12/14 08:54:10 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
2021/12/14 08:54:10 [notice] 1#1: OS: Linux 4.18.0-257.el8.x86_64
2021/12/14 08:54:10 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/12/14 08:54:10 [notice] 1#1: start worker processes
2021/12/14 08:54:10 [notice] 1#1: start worker process 31
2021/12/14 08:54:10 [notice] 1#1: start worker process 32
2021/12/14 08:54:10 [notice] 1#1: start worker process 33
2021/12/14 08:54:10 [notice] 1#1: start worker process 34
192.168.25.1 - - [14/Dec/2021:09:02:17 +0000] "GET / HTTP/1.1" 200 615 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Edg/96.0.1054.53" "-"
2021/12/14 09:02:17 [error] 31#31: *1 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 192.168.25.1, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "192.168.25.147:8080", referrer: "http://192.168.25.147:8080/"
192.168.25.1 - - [14/Dec/2021:09:02:17 +0000] "GET /favicon.ico HTTP/1.1" 404 555 "http://192.168.25.147:8080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Edg/96.0.1054.53" "-"
10.88.0.1 - - [14/Dec/2021:09:03:49 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.61.1" "-"
5.8 podman top(查看容器的 pids)
[root@podman ~]# podman top -l
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 21m30.18880069s pts/0 0s nginx: master process nginx -g daemon off;
nginx 31 1 0.000 21m30.188990305s pts/0 0s nginx: worker process
nginx 32 1 0.000 21m30.189041993s pts/0 0s nginx: worker process
nginx 33 1 0.000 21m30.18908562s pts/0 0s nginx: worker process
nginx 34 1 0.000 21m30.189130536s pts/0 0s nginx: worker process
5.9 podman push(上传镜像)
[root@podman ~]# podman login docker.io //podman要指定登录的仓库
Username: zhaojie10
Password:
Login Succeeded!
[root@podman ~]# cat /run/user/0/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "emhhb2ppZTEwOnpqMTcyMDYxNTQ3Mw=="
}
}
[root@podman ~]# podman tag docker.io/library/nginx:latest zhaojie10/podman:nginx //修改镜像标签
[root@podman ~]# podman push zhaojie10/test:nginx
6 普通用户使用的配置
在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置
cgroup V2 Linux 内核功能允许用户限制无根容器可以使用的资源量。如果您运行 Podman 的 Linux 发行版已启用 cgroup V2,则可能需要更改默认的 OCI 运行时。某些较旧版本的 无法与 cgroup V2 配合使用,您可能需要切换到备用 OCI 运行时 。runc crun
[root@podman ~]# yum -y install crun //centos8系统自带
[root@podman ~]# vim /usr/share/containers/containers.conf
....
# Default OCI runtime
#
runtime = "crun" //取消注释并将值改为crun
6.1 安装slirp4netns
slirp4netns软件包为非特权网络命名空间提供用户模式网络,并且必须安装在机器上才能使 Podman 在无根环境中运行
[root@podman ~]# yum -y install slirp4netns //默认在安装podman时已经安装
上次元数据过期检查:1:13:07 前,执行于 2021年12月14日 星期二 03时34分00秒。
软件包 slirp4netns-1.1.8-1.module_el8.6.0+926+8bef8ae7.x86_64 已安装。
依赖关系解决。
无需任何处理。
完毕!
6.2 安装fuse-overlayfs
在普通用户环境中使用Podman时,建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6。现在新版本默认就是了
[root@podman ~]# yum -y install fuse-overlayfs //默认安装podman已经安装
上次元数据过期检查:1:14:49 前,执行于 2021年12月14日 星期二 03时34分00秒。
软件包 fuse-overlayfs-1.7.1-1.module_el8.6.0+926+8bef8ae7.x86_64 已安装。
依赖关系解决。
无需任何处理。
完毕!
[root@podman ~]# yum -y install fuse-overlayfs
//配置storage.conf文件
[root@localhost ~]# vim /etc/containers/storage.conf
# Default Storage Driver, Must be set for proper operation.
driver = "overlay"
....
mount_program = "/usr/bin/fuse-overlayfs" //取消注释
6.3 /etc/subuid和/etc/subgid配置
Podman要求运行它的用户在/etc/subuid
和/etc/subgid
文件中列出一系列UID,shadow-utils提供这些文件
[root@podman ~]# yum -y install shadow-utils
//可以在/etc/subuid和/etc/subgid查看,每个用户的值必须唯一且没有任何重叠
[root@podman ~]# podman exec -it 7a7ef04f9b85 /bin/bash
root@7a7ef04f9b85:/# id
uid=0(root) gid=0(root) groups=0(root)
root@7a7ef04f9b85:/# useradd lisi
root@7a7ef04f9b85:/# cat /etc/subuid
lisi:100000:65536
root@7a7ef04f9b85:/# useradd wangwu
root@7a7ef04f9b85:/# cat /etc/subuid
lisi:100000:65536
wangwu:165536:65536
该文件的格式为USERNAME:UID:RANGE
- 在/ etc / passwd或getpwent中列出的用户名。
- 为用户分配的初始uid。
- 为用户分配的UID范围的大小
用户的配置文件
三个主要的配置文件是container.conf
,storage.conf
和registries.conf
。用户可以根据需要修改这些文件
container.conf
Podman读取时,按照循序来了,当前面一位找不到时,就去找下一个
1./usr/share/containers/containers.conf
2./etc/containers/containers.conf
3.$HOME/.config/containers/containers.conf
storage.conf
1./etc/containers/storage.conf
2.$HOME/.config/containers/storage.conf
在普通用户中/etc/containers/storage.conf
的一些字段将被忽略
graphroot=``""`` ``container storage graph ``dir` `(default: ``"/var/lib/containers/storage"``)`` ``Default directory to store all writable content created by container storage programs.` `runroot=``""`` ``container storage run ``dir` `(default: ``"/run/containers/storage"``)`` ``Default directory to store all temporary writable content created by container storage programs.
在普通用户中这些字段默认
graphroot=``"$HOME/.local/share/containers/storage"``runroot=``"$XDG_RUNTIME_DIR/containers"
registries.conf
配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改
1./etc/containers/registries.conf
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf
授权文件和配置容器加速器
//容器加速器
[root@podman ~]#vim /etc/containers/registries.conf
unqualified-search-registries = ["docker.io"]
[[registry]]
prefix = "docker.io"
location = "xj3hc284.mirror.aliyuncs.com" //此加速器为阿里云加速器不需要加上https
//授权,podman login 登录,默认授权文件位于中${XDG_RUNTIME_DIR}/containers/auth.json
[root@podman ~]# cat /run/user/0/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "emhhb2ppZTEwOnpqMTcyMDYxNTQ3Mw=="
}
}
7 使用卷
容器与root
用户一起运行,则root
容器中的用户实际上就是主机上的用户。UID / GID 1
是在/etc/subuid
和/etc/subgid
等中用户映射中指定的第一个UID / GID
。如果普通用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则会看到它实际上是你的用户在主机上拥有的。
//使用卷之前要关闭防火墙和selinux
[root@podman ~]# useradd jj
[root@podman ~]# su - jj
[jj@podman ~]$ pwd
/home/jj
[jj@podman ~]$ podman run -it --name h1 -v /home/jj/test:/data busybox /bin/sh
/ # ls
bin data dev etc home proc root run sys tmp usr var
/ # ls -l data
total 0
[jj@podman ~]$ ls
test
[jj@podman ~]$ touch test/MM
/ # ls -l data
total 0
-rw-rw-r-- 1 root root 0 Dec 15 11:35 MM
//--userns=keep-id标志,以确保用户被映射到容器内自己的UID和GID。
8 podman 网络配置
podman容器联网的指导因素之一将是容器是否由root用户运行。这是因为非特权用户无法在主机上创建网络接口。因此,对于rootfull容器,默认网络模式是使用容器网络接口(CNI)插件,特别是桥接插件。对于rootless,默认的网络模式是slir4netns。由于权限有限,slirnetns缺少CNI组网的一些功能;例如,slirp4netns无法为容器提供可路由的IP地址。cni是容器网络接口。
8.1 创建网络
//创建网络
[root@podman ~]# podman network create mynetwork
/etc/cni/net.d/mynetwork.conflist
[root@podman ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
6d1b23123e26 mynetwork 0.4.0 bridge,portmap,firewall,tuning
//修改新生成的网络配置文件的子网和网关或者创建时使用–subnet 指定网段和子网掩码,–gateway指定网关
[root@podman ~]# cat /etc/cni/net.d/mynetwork.conflist
{
"cniVersion": "0.4.0", //cni 版本
"name": "mynetwork", //网络名
"plugins": [
{
"type": "bridge", //网卡类型
"bridge": "cni-podman1",
"isGateway": true,
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"routes": [
{
"dst": "0.0.0.0/0"
}
],
"ranges": [
[
{
"subnet": "192.168.24.0/24", //修改网段
"gateway": "192.168.24.1" //修改网关
//修改/usr/share/containers/containers.conf文件设置默认网络为新创建的网络
[root@podman ~]# vim /usr/share/containers/containers.conf
........
# The network name of the default CNI network to attach pods to.
#
default_network = "mynetwork" //添加此行
#default_network = "podman" //此行默认已经注释
........
//创建容器查看网络
[root@podman ~]# podman run -it --name test busybox
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 3cb635b06aa2 done
Copying config ffe9d497c3 done
Writing manifest to image destination
Storing signatures
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 92:02:f4:9f:c7:1b brd ff:ff:ff:ff:ff:ff
inet 192.168.24.3/24 brd 192.168.24.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::9002:f4ff:fe9f:c71b/64 scope link
valid_lft forever preferred_lft forever
9 podman容器的开机自启
9.1 root模式的podman
//首先先创建一个容器
[root@podman ~]# podman run -dit --name nginx nginx
508f9b3387e8a383a7c89ef920afab91f7d07b9f5a2374f693824b6e512d988a
[root@podman ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
508f9b3387e8 localhost/nginx:latest nginx -g daemon o... 6 seconds ago Up 6 seconds ago nginx
//生成service文件
[root@podman ~]# podman generate systemd --files --name nginx
/root/container-nginx.service
[root@podman ~]# ls
anaconda-ks.cfg container-nginx.service
[root@podman ~]# cat container-nginx.service
# container-nginx.service
# autogenerated by Podman 3.4.1-dev
# Wed Dec 15 07:10:17 EST 2021
[Unit]
Description=Podman container-nginx.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=/run/containers/storage
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman start nginx
ExecStop=/usr/bin/podman stop -t 10 nginx
ExecStopPost=/usr/bin/podman stop -t 10 nginx
PIDFile=/run/containers/storage/overlay-containers/508f9b3387e8a383a7c89ef920afab91f7d07b9f5a2374f693824b6e512d988a/userdata/conmon.pid
Type=forking
[Install]
WantedBy=multi-user.target default.target
//将容器的service文件移动到/usr/lib/systemd/system下
[root@podman ~]# mv container-nginx.service /usr/lib/systemd/system/
[root@podman ~]# ls /usr/lib/systemd/system/container-nginx.service
/usr/lib/systemd/system/container-nginx.service
//设置容器服务的开机自启动
[root@podman ~]# systemctl enable --now container-nginx.service
Created symlink /etc/systemd/system/multi-user.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service.
Created symlink /etc/systemd/system/default.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service.
[root@podman ~]# systemctl status container-nginx.service
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/usr/lib/systemd/system/container-nginx.service; enabled; vendor>
Active: active (running) since Wed 2021-12-15 07:13:22 EST; 8s ago
Docs: man:podman-generate-systemd(1)
Process: 5259 ExecStart=/usr/bin/podman start nginx (code=exited, status=0/SUCCES>
Main PID: 5017 (conmon)
Tasks: 0 (limit: 49290)
Memory: 1.7M
CGroup: /system.slice/container-nginx.service
‣ 5017 /usr/bin/conmon --api-version 1 -c 508f9b3387e8a383a7c89ef920afab>
12月 15 07:13:22 podman systemd[1]: Starting Podman container-nginx.service...
12月 15 07:13:22 podman systemd[1]: Started Podman container-nginx.service.
lines 1-13/13 (END)
9.2 非根用户容器开机自启
//普通用户使用ssh连接,必须使用ssh连接,否则会报错(Failed to connect to bus: No such file or directory
[root@podman ~]# useradd jj
useradd:用户“jj”已存在
[root@podman ~]# echo '123' | passwd --stdin jj
更改用户 jj 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@podman ~]# ssh jj@192.168.25.147
The authenticity of host '192.168.25.147 (192.168.25.147)' can't be established.
ECDSA key fingerprint is SHA256:1RKF1dDMiNk1NgpQCf2BP231oK3MOjFXoSDgRJ2FeS4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.25.147' (ECDSA) to the list of known hosts.
jj@192.168.25.147's password:
Last login: Wed Dec 15 07:14:51 2021
//运行一个容器,非root用户只能映射1024以上的端口,1024以下的端口只能root用户映射。
[jj@podman ~]$ podman run -dit --name nginx nginx
f0f478670345539c4278a2d5d3113982035ce3f94d01875e8ef3895918d7092b
[jj@podman ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f0f478670345 docker.io/library/nginx:latest nginx -g daemon o... 9 seconds ago Up 9 seconds ago nginx
//创建service文件目录结构,必须按照以下要求创建,任何都不能更改
[jj@podman ~]$ mkdir -p ~/.config/systemd/user/
[jj@podman ~]$ cd .config/systemd/user/
[jj@podman user]$ pwd
/home/jj/.config/systemd/user
//生成service文件
[jj@podman user]$ podman generate systemd --files --new --name nginx
/home/jj/.config/systemd/user/container-nginx.service
[jj@podman user]$ ls
container-nginx.service
[jj@podman user]$ cat container-nginx.service
# container-nginx.service
# autogenerated by Podman 3.4.1-dev
# Wed Dec 15 07:25:40 EST 2021
[Unit]
Description=Podman container-nginx.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/%n.ctr-id
ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --rm --sdnotify=conmon --replace -dit --name nginx nginx
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all
[Install]
WantedBy=multi-user.target default.target
//手动关闭容器,以便后续测试开机自启
[jj@podman user]$ podman stop -l
f0f478670345539c4278a2d5d3113982035ce3f94d01875e8ef3895918d7092b
[jj@podman user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
//重载服务,设置开机自启,无根用户启动时需要加上--user
[jj@podman user]$ systemctl --user daemon-reload
[jj@podman user]$ systemctl --user enable --now container-nginx.service
Created symlink /home/jj/.config/systemd/user/multi-user.target.wants/container-nginx.service → /home/jj/.config/systemd/user/container-nginx.service.
Created symlink /home/jj/.config/systemd/user/default.target.wants/container-nginx.service → /home/jj/.config/systemd/user/container-nginx.service.
//查看容器服务状态
[jj@podman user]$ systemctl status container-nginx.service
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/usr/lib/systemd/system/container-nginx.service; enabled; vendor>
Active: active (running) since Wed 2021-12-15 07:13:22 EST; 15min ago
Docs: man:podman-generate-systemd(1)
Process: 5259 ExecStart=/usr/bin/podman start nginx (code=exited, status=0/SUCCES>
Main PID: 5017 (conmon)
Tasks: 0 (limit: 49290)
Memory: 1.5M
CGroup: /system.slice/container-nginx.service
‣ 5017 /usr/bin/conmon --api-version 1 -c 508f9b3387e8a383a7c89ef920afab>
lines 1-10/10 (END)
//之前手动关闭nginx容器,已设置开机自启,查看容器是否运行
[jj@podman user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d9ac7c19d022 docker.io/library/nginx:latest nginx -g daemon o... About a minute ago Up About a minute ago nginx
//服务关闭,容器自动删除
[jj@podman user]$ systemctl --user stop container-nginx.service
[jj@podman user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[jj@podman user]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
//服务启动,容器自动创建并运行
[jj@podman user]$ systemctl --user start container-nginx.service
[jj@podman user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
20fbf8534c69 docker.io/library/nginx:latest nginx -g daemon o... 4 seconds ago Up 3 seconds ago nginx
//查看普通用户是否有systemd的权限
[jj@podman user]$ loginctl user-status jj
jj (1000)
Since: Wed 2021-12-15 07:22:24 EST; 8min ago
State: active //active表示含有此权限,没有权限会显示linger
//如果普通用户没有systemd权限,可以执行以下命令开启systemd权限
loginctl enable-linger <username>