其他分享
首页 > 其他分享> > Podman基础用法

Podman基础用法

作者:互联网

Podman基础

1、什么是Podman?

Podman是一种开源的Linux原生工具,旨在根据开放容器倡议(Open Container Initiative,OCI)标准开发、管理和运行容器和Pod。Podman是RedHat开发的一个用户友好的容器调度器,是RedHat 8和CentOS 8中默认的容器引擎。

它是一款集合了命令集的工具,设计初衷是为了处理容器化进程的不同任务,可以作为一个模块化框架工作。它的工具集包括:

Podman 官网地址:https://podman.io/

Podman 项目地址:https://github.com/containers/libpod

2、Podman和Docker的区别

docker 需要在我们的系统上运行一个守护进程(docker daemon),而 podman 不需要

  • docker cli 命令通过API跟 Docker Engine(引擎)交互告诉它我想创建一个container(容器),然后docker Engine才会调用OCI container runtime(runc)来启动一个container。这代表container的process(进程)不会是Docker CLI的child process(子进程),而是Docker Engine(引擎)的child process(子进程)。
  • Podman是直接给OCI containner runtime(runc)进行交互来创建容器的,所以container(容器) process(进程)直接是podman的child process(子进程)。

图中所体现的事情是,podman不需要守护进程,而dorker需要守护进程。在这个图的示意中,dorcker的containerd-shim与podman的common被归在Container一层。

3、Podman部署

3.1Podman安装和配置加速器

# 1.首先配置yum仓库
[root@localhost yum.repos.d]#curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-8.5.2111.repo
[root@localhost yum.repos.d]#sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo

# 2.安装Podman
[root@localhost ~]# yum -y install podman
[root@localhost ~]# podman version 
Version:      3.3.1
API Version:  3.3.1
Go Version:   go1.16.7
Built:        Wed Nov 10 05:23:56 2021
OS/Arch:      linux/amd64

配置加速器

这里使用的是阿里云加速器,获取方法见Docker基础用法

# 备份配置文件
[root@localhost ~]# cd /etc/containers/
[root@localhost containers]# ls
certs.d  oci  policy.json  registries.conf  registries.conf.d  registries.d  storage.conf
[root@localhost containers]# mv registries.conf registries.conf.backups

# 新建一个空的registries.conf文件,并进行配置
[root@localhost containers]# vim registries.conf
unqualified-search-registries = ["docker.io"]		#镜像仓库地址,这里只用docker.io

[[registry]]
prefix = ""
location= "6vrrj6n2.mirror.aliyuncs.com"		#阿里镜像仓库地址

Podman别名

# 别名为docker
[root@localhost ~]# alias docker=podman

# 确认没有装docker
[root@localhost ~]# rpm -qa|grep docker

# 可以使用“docker”命令
[root@localhost ~]# docker images
REPOSITORY               TAG     IMAGE ID      CREATED      SIZE
docker.io/library/nginx  latest  35c43ace9216  2 weeks ago  137 MB

3.2 Podman常用命令

镜像

podman search #查找镜像

[root@localhost ~]# podman search bosybox
INDEX       NAME                            DESCRIPTION    STARS       OFFICIAL    AUTOMATED
docker.io   docker.io/deathknight2/bosybox                 0                       
docker.io   docker.io/messi110/bosybox                     0                       
docker.io   docker.io/demodocker07/bosybox                 0                       
docker.io   docker.io/bosybox/bosybox                      0                       
docker.io   docker.io/wan012q/bosybox                      0                       
docker.io   docker.io/xiaowen20/http        bosybox http   0                       
docker.io   docker.io/yushanshuai/httpd     bosybox httpd  0                       
docker.io   docker.io/15908168410/bosybox   测试bosybox      0                     

podman pull #获取镜像

[root@localhost ~]# podman pull busybox
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 50783e0dfb64 done  
Copying config 7a80323521 done  
Writing manifest to image destination
Storing signatures
7a80323521ccd4c2b4b423fa6e38e5cea156600f40cd855e464cc52a321a24dd

podman images #列出镜像

[root@localhost ~]# podman images
REPOSITORY                 TAG         IMAGE ID      CREATED      SIZE
docker.io/library/busybox  latest      7a80323521cc  2 weeks ago  1.47 MB

podman rmi #删除镜像

[root@localhost ~]# podman rmi busybox
Untagged: docker.io/library/busybox:latest
Deleted: 7a80323521ccd4c2b4b423fa6e38e5cea156600f40cd855e464cc52a321a24dd
[root@localhost ~]# podman images
REPOSITORY  TAG         IMAGE ID    CREATED     SIZE

podman inspect 获取镜像的详细信息

[root@localhost ~]# docker inspect 镜像名:标签
......

podman tag 添加镜像别名,类似于别名

[root@localhost ~]# docker tag 镜像名:标签 新镜像名:新标签

# 实例:
[root@localhost ~]# podman tag busybox:latest runtime:v1
[root@localhost ~]# podman images
REPOSITORY                 TAG         IMAGE ID      CREATED      SIZE
docker.io/library/busybox  latest      7a80323521cc  2 weeks ago  1.47 MB
localhost/runtime          v1          7a80323521cc  2 weeks ago  1.47 MB

podman save #导出镜像

[root@localhost ~]# podman save > busybox.tar busybox
[root@localhost ~]# ls
anaconda-ks.cfg  busybox.tar

podman load #导入镜像

[root@localhost ~]# podman load < busybox.tar 
Getting image source signatures
Copying blob 084326605ab6 done  
Copying config 7a80323521 done  
Writing manifest to image destination
Storing signatures
Loaded image(s): docker.io/library/busybox:latest
[root@localhost ~]# podman images
REPOSITORY                 TAG         IMAGE ID      CREATED      SIZE
docker.io/library/busybox  latest      7a80323521cc  2 weeks ago  1.47 MB

容器

podman run #创建并启动容器

[root@localhost ~]# podman run -dit --name web1 httpd
8405d2772400fe8026cd45d538f8f391410e7213e7c0217fba37a970eba72ff4

podman create #创建容器

[root@localhost ~]# podman create httpd

podman ps # 查看容器

[root@localhost ~]# podman ps -a
CONTAINER ID  IMAGE                           COMMAND           CREATED         STATUS            PORTS       NAMES
8405d2772400  docker.io/library/httpd:latest  httpd-foreground  2 minutes ago   Up 2 minutes ago              web1
3a7c9d32adf5  docker.io/library/httpd:latest  httpd-foreground  33 seconds ago  Created                       strange_neumann

podman start # 启动容器

[root@localhost ~]# podman start 3a7c9d32adf5
3a7c9d32adf5
[root@localhost ~]# podman ps
CONTAINER ID  IMAGE                           COMMAND           CREATED             STATUS             PORTS       NAMES
8405d2772400  docker.io/library/httpd:latest  httpd-foreground  3 minutes ago       Up 2 minutes ago               web1
3a7c9d32adf5  docker.io/library/httpd:latest  httpd-foreground  About a minute ago  Up 13 seconds ago              strange_neumann

podman restart # 重启容器

[root@localhost ~]# podman restart 3a7c9d32adf5
3a7c9d32adf5e21ceba3b19a885fd595e2950ae7d3618efc443088367704ace3

podman stop # 停止容器

[root@localhost ~]# podman stop 3a7c9d32adf5
3a7c9d32adf5
[root@localhost ~]# podman ps -a
CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS                    PORTS       NAMES
8405d2772400  docker.io/library/httpd:latest  httpd-foreground  4 minutes ago  Up 4 minutes ago                      web1
3a7c9d32adf5  docker.io/library/httpd:latest  httpd-foreground  2 minutes ago  Exited (0) 7 seconds ago              strange_neumann

podman rm # 删除容器

# 使用rm删除容器(删除时容器应处于停止状态,若容器还在运行则删除失败,可以使用rm -f强制删除)
[root@localhost ~]# podman rm 3a7c9d32adf5
3a7c9d32adf5e21ceba3b19a885fd595e2950ae7d3618efc443088367704ace3
[root@localhost ~]# podman ps -a
CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS            PORTS       NAMES
8405d2772400  docker.io/library/httpd:latest  httpd-foreground  4 minutes ago  Up 4 minutes ago              web1

odman logs # 查看容器日志

[root@localhost ~]# podman logs web1
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.4. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.4. Set the 'ServerName' directive globally to suppress this message
[Sat Aug 13 06:12:09.085347 2022] [mpm_event:notice] [pid 1:tid 140027846626624] AH00489: Apache/2.4.54 (Unix) configured -- resuming normal operations
[Sat Aug 13 06:12:09.085496 2022] [core:notice] [pid 1:tid 140027846626624] AH00094: Command line: 'httpd -D FOREGROUND'

podman attach # 进入容器

# 使用attach进入到容器的内部,但不能操作且退出时容器也会停止,不推荐使用。
[root@localhost ~]#podman attach web2

(另开一个终端访问它)
[root@localhost ~]# curl 10.88.0.9
<html><body><h1>It works!</h1></body></html>

(内部出现访问信息)
10.88.0.1 - - [13/Aug/2022:06:27:11 +0000] "GET / HTTP/1.1" 200 45

podman exec # 进入容器

# 使用exec -it指定交互模式进入容器,比如/bin/bash或/bin/sh,由此可以实现操作且退出时容器不会停止
(需要先启动容器)
[root@localhost ~]# podman start web1
web1
[root@localhost ~]# podman exec -it web1 /bin/bash
root@8405d2772400:/usr/local/apache2# 

podman export # 导出容器

[root@localhost ~]# podman export -o web.tar web1
[root@localhost ~]# ls
anaconda-ks.cfg  busybox.tar  web.tar

podman import # 导入容器快照

[root@localhost ~]# podman import web.tar 
Getting image source signatures
Copying blob f8c5231b85bd done  
Copying config 4166d975be done  
Writing manifest to image destination
Storing signatures
sha256:4166d975beffdcb17b6a87b7f6b0878594b8e4d4d972e487c70fe60626b07724
[root@localhost ~]# podman images
REPOSITORY               TAG         IMAGE ID      CREATED        SIZE
<none>                   <none>      4166d975beff  5 minutes ago  147 MB
docker.io/library/httpd  latest      f2a976f932ec  11 days ago    149 MB

4、Podman镜像推送与拉取

# 1.设置镜像别名,名称为483607723/runtime,版本为v2
[root@localhost ~]# podman tag docker.io/library/httpd:latest docker.io/483607723/runtime:v2
[root@localhost ~]# podman images
REPOSITORY                   TAG         IMAGE ID      CREATED      SIZE
docker.io/library/httpd      latest      f2a976f932ec  11 days ago  149 MB
docker.io/483607723/runtime  v2          f2a976f932ec  11 days ago  149 MB

# 2.登陆我们dockerhub账号
[root@localhost ~]# podman login
Username: 483607723
Password: 
Login Succeeded!

# 3.上传刚才修改的镜像
[root@localhost ~]# podman push docker.io/483607723/runtime:v2 
Getting image source signatures
Copying blob eea65516ea3b skipped: already exists  
Copying blob 92a4e8a3140f skipped: already exists  
Copying blob 28a53545632f skipped: already exists  
Copying blob 54fa52c69e00 skipped: already exists  
Copying blob 0c2dead5c030 [--------------------------------------] 0.0b / 0.0b
Copying config f2a976f932 done  
Writing manifest to image destination
Storing signatures

上传成功

# 4.从网上下载我们刚上传的镜像 
[root@localhost ~]# podman pull 483607723/runtime:v2
Trying to pull docker.io/483607723/runtime:v2...
Getting image source signatures
Copying blob 80cb79a80bbe skipped: already exists  
Copying blob aed046121ed8 skipped: already exists  
Copying blob 1efc276f4ff9 skipped: already exists  
Copying blob 4340e7be3d7f skipped: already exists  
Copying blob 80e368ef21fc [--------------------------------------] 0.0b / 0.0b
Copying config f2a976f932 done  
Writing manifest to image destination
Storing signatures
f2a976f932ec6fe48978c1cdde2c8217a497b1f080c80e49049e02757302cf74
[root@localhost ~]# podman images
REPOSITORY                   TAG         IMAGE ID      CREATED      SIZE
docker.io/library/httpd      latest       f2a976f932ec      11 days ago  149 MB
docker.io/483607723/runtime   v2          f2a976f932ec      11 days ago  149 MB

5、普通用户使用的配置

在允许没有root权限的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置。

详情见 Podman官方文档

创建普通用户

[root@localhost ~]# useradd zsl

普通用户是无法看见root用户的镜像的

# root用户
[root@localhost ~]# podman images
REPOSITORY               TAG         IMAGE ID      CREATED      SIZE
docker.io/library/httpd  latest      f2a976f932ec  13 days ago  149 MB

# 普通用户
[root@localhost ~]# su - zsl
[zsl@localhost ~]$ podman images
REPOSITORY  TAG         IMAGE ID    CREATED     SIZE

cgroup V2支持

cgroup V2 Linux内核功能允许用户限制无根容器可以使用的资源量。如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,您可能必须切换到备用OCI运行时crun

用于通过在系统级或在任一改变用于在containers.conf文件“默认OCI运行时”的值的所有命令用户级别runtime = "runc"runtime = "crun"

# 安装crun
[root@localhost ~]# useradd zsl

# 取消注释并修改成crun
[root@localhost ~]# vim /usr/share/containers/containers.conf 
.....
# Default OCI runtime
#
runtime = "crun"     #取消注释
#runtime = "runc"    #注释
......

# 启动一个容器查看
[root@localhost ~]# podman run -d --rm --name web1 httpd
[root@localhost ~]# podman inspect web1 | grep crun
        "OCIRuntime": "crun",
            "crun",

安装slirp4netns

提供用户模式网络,并且必须安装上才能使Podman在普通用户环境中运行

[root@localhost ~]# yum -y install slirp4netns
[root@localhost ~]# rpm -qa | grep slirp4netns
slirp4netns-1.1.8-1.module_el8.5.0+890+6b136101.x86_64

安装fuse-overlayfs

在普通用户环境下,建议使用fuse-overlayfs文件系统而不是VFS文件系统

[root@localhost ~]# yum -y install fuse-overlayfs
[root@localhost ~]# rpm -qa | grep fuse-overlayfs
fuse-overlayfs-1.7.1-1.module_el8.5.0+890+6b136101.x86_64

# 配置storage.conf文件
[root@localhost ~]# vim /etc/containers/storage.conf 
#取消下面这行的注释
mount_program = "/usr/bin/fuse-overlayfs"

配置/etc/subuid和/etc/subgid

Podman要求运行它的用户在/etc/subuid和/etc/subgid文件中列出一系列UID,shadow-utilsnewuid包提供这些文件

[root@localhost ~]# yum -y install shadow

使用允许每个用户创建类似于以下内容的容器的字段来更新/etc/subuid和/etc /subgid的字段。请注意,每个用户的值必须唯一且没有任何重叠。如果存在重叠,则用户有可能使用其他人的命名空间,并且他们可能破坏该命名空间。

[root@localhost ~]# cat /etc/subuid
zsl:100000:65536
[root@localhost ~]# cat /etc/subgid
zsl:100000:65536
[root@localhost ~]# useradd zsl1
[root@localhost ~]# cat /etc/subuid
zsl:100000:65536
zsl1:165536:65536

该文件的格式为 USERNAME:UID:RANGE

这意味着在/etc/passwd文件中为用户zsl分配了UIDS 100000-165535及其标准UID。

如果更新/etc/subuid或/etc/subgid文件,则需要停止该用户拥有的所有正在运行的容器,并终止该用户在系统上运行的暂停过程。这可以通过使用podman system migrate命令自动完成,该命令将为用户停止所有容器并终止暂停过程。

启用非特权ping

在非特权容器中运行的用户可能无法使用该ping容器中的实用程序。

如果需要这样做,管理员必须验证用户的UID是否在/proc/sys/net/ipv4/ping_group_range文件范围内。

要更改其值,管理员可以使用类似于的呼叫sysctl -w "net.ipv4.ping_group_range=0 2000000"

为了使更改持久存在,管理员将需要添加一个文件.conf扩展名,/etc/sysctl.conf其中包含net.ipv4.ping_group_range=0 $MAX_GID,该文件$MAX_GID是运行容器的用户的最高可分配GID。

[root@localhost ~]# vim /etc/sysctl.conf 
net.ipv4.ping_group_range=0 2000000		#大于100000这个就表示tom可以操作podman
[root@localhost ~]# sysctl -p
net.ipv4.ping_group_range = 0 200000

用户配置文件

根目录的Podman配置文件位于中,/usr/share/containers并带有覆盖/etc/containers。在无根环境中,它们${XDG_CONFIG_HOME}/containers通常位于,~/.config/containers并由每个用户拥有。

三个主要的配置文件是container.confstorage.confregistries.conf。用户可以根据需要修改这些文件。

container.conf

# /usr/share/containers/containers.conf
# /etc/containers/containers.conf
# $HOME/.config/containers/containers.conf  #优先级最高

如果它们以该顺序存在。每个文件都可以覆盖特定字段的前一个文件。

storage.conf

# /etc/containers/storage.conf
# $HOME/.config/containers/storage.conf

在普通用户机中,/etc/containers/storage.conf中某些字段将被忽略。这些字段是:

graphroot=""
 container storage graph dir (default: "/var/lib/containers/storage")
 Default directory to store all writable content created by container storage programs.

runroot=""
 container storage run dir (default: "/run/containers/storage")
 Default directory to store all temporary writable content created by container storage programs.

在普通用户中,这些字段默认为

graphroot="$HOME/.local/share/containers/storage"
runroot="$XDG_RUNTIME_DIR/containers"

registries.conf

配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改。

# /etc/containers/registries.conf
# /etc/containers/registries.d/*
# HOME/.config/containers/registries.conf

授权文件

podman loginpodman logout命令使用的默认授权文件位于中${XDG_RUNTIME_DIR}/containers/auth.json

# 使用root用户登录官网
[root@localhost ~]# podman login
Username: 483607723
Password: 
Login Succeeded!

[root@localhost ~]# find / -name auth.json
/run/user/0/containers/auth.json

[root@localhost ~]# cat /run/user/0/containers/auth.json 
{
	"auths": {
		"docker.io": {
			"auth": "NDgzNjA3NzIzOnpoYW9zaHVsaW4yNA=="
		}
	}
}

6、Podman存储卷

  • 容器与root用户一起运行,则root容器中的用户实际上就是主机上的用户。
  • UID GID是在/etc/subuid和/etc/subgid等中用户映射中指定的第一个UID GID。
  • 如果普通用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则会看到它实际上是你的用户在主机上拥有的。

使用卷

[root@localhost ~]# su - zsl
Last login: Mon Aug 15 15:12:04 CST 2022 on pts/1
[zsl@localhost ~]$ pwd
/home/zsl
[zsl@localhost ~]$ mkdir test
[zsl@localhost ~]$ podman run -it --name zsl1 -v /home/zsl/test:/data:Z busybox /bin/sh
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Error: initializing source docker://busybox:latest: pinging container registry registry-1.docker.io: Get "https://registry-1.docker.io/v2/": net/http: TLS handshake timeout
[zsl@localhost ~]$ podman run -it --name zsl1 -v /home/zsl/test:/data:Z busybox /bin/sh
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 50783e0dfb64 done  
Copying config 7a80323521 done  
Writing manifest to image destination
Storing signatures
/ # ls
bin   data  dev   etc   home  proc  root  run   sys   tmp   usr   var
/ # cd data/
/data # ls
/data # touch file1
/data # ls -l
total 0
-rw-r--r--    1 root     root             0 Aug 15 07:18 file1
/data # id
uid=0(root) gid=0(root) groups=10(wheel)

在主机上查看

[zsl@localhost ~]$ ll test/
total 0
-rw-r--r--. 1 zsl zsl 0 Aug 15 15:18 file1

# 写入文件
[zsl@localhost ~]$ cd test/
[zsl@localhost test]$ echo "hell world" >> file1
[zsl@localhost test]$ cat file1 
hell world

在容器里查看

/data # cat file1 
hell world

# 我们可以发现在容器里面的文件的属主和属组都属于root,那么如何才能让其属于tom用户呢?下面告诉你答案
/data # ls -l
total 4
-rw-r--r--    1 root     root            11 Aug 15 07:27 file1

# 只要在运行容器的时候加上一个--userns=keep-id即可
[zsl@localhost ~]$ podman run -it --name test  --userns keep-id -v /home/zsl/test:/data:Z busybox /bin/sh
~ $ cd data/
/data $ ls -l
total 4
-rw-r--r--    1 zsl      zsl             11 Aug 15 07:27 file1

使用普通用户映射容器端口时会报“ permission denied”的错误

[zsl@localhost ~]$ podman run -d -p 80:80 httpd
Resolving "httpd" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob 1efc276f4ff9 done  
Copying blob 4340e7be3d7f done  
Copying blob 80cb79a80bbe done  
Copying blob aed046121ed8 done  
Copying blob 80e368ef21fc done  
Copying config f2a976f932 done  
Writing manifest to image destination
Storing signatures
Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied

解决办法

# 1.普通用户可以映射>= 1024的端口
[zsl@localhost ~]$ podman run -d --name web1 -p 1024:80 httpd
2f2068b89c178aead6016622a3c937f16e605d23a40c301398c371c599d98164
[zsl@localhost ~]$ ss -anlt
State         Recv-Q        Send-Q               Local Address:Port               Peer Address:Port        Process        
LISTEN        0             128                        0.0.0.0:22                      0.0.0.0:*                          
LISTEN        0             128                           [::]:22                         [::]:*                          
LISTEN        0             128                              *:1024                          *:*                          

# 2.在配置文件/etc/sysctl.conf配置后可以映射大于等于80的端口
[root@localhost ~]# vim /etc/sysctl.conf 
net.ipv4.ip_unprivileged_port_start = 80
[root@localhost ~]#  sysctl -p
net.ipv4.ping_group_range = 0 200000
net.ipv4.ip_unprivileged_port_start = 80
[zsl@localhost ~]$ podman run -d --name zsl1 -p 80:80 httpd
553e48b5eb04712f8a8bddd2a8b548eb24ce6c6a3d7eb9098b9ac280fb030dd0
[zsl@localhost ~]$ ss -anlt
State         Recv-Q        Send-Q               Local Address:Port               Peer Address:Port        Process        
LISTEN        0             128                        0.0.0.0:22                      0.0.0.0:*                          
LISTEN        0             128                           [::]:22                         [::]:*                          
LISTEN        0             128                              *:80        

标签:podman,基础,用法,Podman,containers,io,docker,root,localhost
来源: https://www.cnblogs.com/Alone-8712/p/16590354.html