其他分享
首页 > 其他分享> > podman的基本设置与podman签名

podman的基本设置与podman签名

作者:互联网

目录


podman的基本设置和使用

//注:因为只有一个容器所有使用的-l参数

创建一个容器并放在后台运行做一个端口映射 -p

[root@harbor harbor]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
>                   -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
>                   -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
>                   registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd

列出正在运行的容器

[root@harbor harbor]# podman  ps
CONTAINER ID  IMAGE                                        COMMAND               CREATED        STATUS            PORTS                   NAMES
33ff21ebe11a  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  7 seconds ago  Up 8 seconds ago  0.0.0.0:8080->8080/tcp  peaceful_mendel

查看最后一个容器的详细信息并过滤他的IDPAddress的关键字

-l 是指定对最新一个容器操作

[root@harbor harbor]# podman  inspect  -l | grep -i ipaddress
            "IPAddress": "10.88.0.2",
                    "IPAddress": "10.88.0.2",

测试httpd服务器

[root@harbor harbor]# curl http://localhost:8080 |head -10
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     100  4650  100  4650    0     0   908k      0 --:--:-- --:--:-- --:--:--  908k
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
	<head>
		<title>Test Page for the Apache HTTP Server on Fedora</title>
		<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
		<style type="text/css">
			/*<![CDATA[*/
			body {
				background-color: #fff;

查看容器的日志信息

[root@harbor harbor]# podman  logs -l |head -5
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.2. Set the 'ServerName' directive globally to suppress this message
[Mon Aug 15 10:41:07.067613 2022] [ssl:warn] [pid 1:tid 140505771904384] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1b FIPS  26 Feb 2019, version currently loaded is OpenSSL 1.1.1 FIPS  11 Sep 2018) - may result in undefined or erroneous behavior

查看容器的pid

[root@harbor harbor]# podman  top -l
USER        PID         PPID        %CPU        ELAPSED          TTY         TIME        COMMAND
default     1           0           0.000       4m55.80820748s   pts/0       0s          httpd -D FOREGROUND 
default     22          1           0.000       4m55.808340444s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     23          1           0.000       4m55.80838719s   pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     24          1           0.000       4m55.808485643s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     25          1           0.000       4m55.808565767s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     26          1           0.000       4m55.808682968s  pts/0       0s          httpd -D FOREGROUND 
default     27          1           0.000       4m55.808730488s  pts/0       0s          httpd -D FOREGROUND 
default     28          1           0.000       4m55.808838997s  pts/0       0s          httpd -D FOREGROUND 
default     29          1           0.000       4m55.808885803s  pts/0       0s          httpd -D FOREGROUND 

对容器执行检查点操作 //检查点操作与快照类似

[root@harbor harbor]# podman container checkpoint -l
33ff21ebe11a4bd90144c144f5bc54d7ae816ced96263c5309dc5fc677cf2a7d

还原容器,容器还是可以访问到8080

[root@harbor harbor]# podman  container restore -l
33ff21ebe11a4bd90144c144f5bc54d7ae816ced96263c5309dc5fc677cf2a7d
[root@harbor harbor]# curl http://192.168.124.128:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
	<head>
		<title>Test Page for the Apache HTTP Server on Fedora</title>
		<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
		<style type="text/css">

迁移容器

在源主机上 将这个检查的移入到/tmp/checkpoint.tar.gz这个文件中

把这个文件传给192.168.124.131的/tmp目录

[root@harbor harbor]# podman container checkpoint  33ff21ebe11a -e /tmp/checkpoint.tar.gz
33ff21ebe11a4bd90144c144f5bc54d7ae816ced96263c5309dc5fc677cf2a7d
[root@harbor tmp]# scp /tmp/checkpoint.tar.gz 192.168.124.189:/tmp
The authenticity of host '192.168.124.189 (192.168.124.131)' can't be established.
ECDSA key fingerprint is SHA256:FMabC/Kpc+qAFd7ELELgxLLvdOO0KJzdrhZURx+EMHQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.124.189' (ECDSA) to the list of known hosts.
root@192.168.124.189's password: 
checkpoint.tar.gz                          100% 1225KB 125.4MB/s   00:00    

目的容器

[root@YL ~]# podman container restore -i /tmp/checkpoint.tar.gz 
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob 7692efc5f81c done  
Copying blob d77ff9f653ce done  
Copying blob aaf5ad2e1aa3 done  
Copying config 25c76f9dcd done  
Writing manifest to image destination
Storing signatures
33ff21ebe11a4bd90144c144f5bc54d7ae816ced96263c5309dc5fc677cf2a7d
[root@YL ~]# podman ps -a
CONTAINER ID  IMAGE                                        COMMAND               CREATED             STATUS                 PORTS                   NAMES
33ff21ebe11a  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  About a minute ago  Up About a minute ago  0.0.0.0:8080->8080/tcp  peaceful_mendel

停止容器

[root@harbor ~]# podman  stop -l
33ff21ebe11a4bd90144c144f5bc54d7ae816ced96263c5309dc5fc677cf2a7d

列出所有容器

[root@harbor ~]# podman  ps -a
CONTAINER ID  IMAGE                                        COMMAND               CREATED      STATUS                  PORTS                   NAMES
33ff21ebe11a  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  4 hours ago  Exited (0) 4 hours ago  0.0.0.0:8080->8080/tcp  peaceful_mendel

移除容器

[root@harbor ~]# podman  rm -l
33ff21ebe11a4bd90144c144f5bc54d7ae816ced96263c5309dc5fc677cf2a7d

签名和分发

生成gpg密钥

[root@harbor ~]# gpg --full-gen-key 
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:		//选择想要的密钥类型
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 
RSA keys may be between 1024 and 4096 bits long.  //RSA密钥的长度在1024-4096之间
What keysize do you want? (2048) 		//你想要的密钥大小
Requested keysize is 2048 bits
Please specify how long the key should be valid.		//指定密钥的有效期
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: liuyang123@qq.com
Email address: liuyang123@qq.com
Comment: abc
You selected this USER-ID:
    "liuyang123@qq.com (abc) <liuyang123@qq.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 1A2266F0091C7834 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/35550116EFB799E49FCC05BD1A2266F0091C7834.rev'
public and secret key created and signed.

pub   rsa2048 2022-08-15 [SC]
      35550116EFB799E49FCC05BD1A2266F0091C7834
uid                      liuyang123@qq.com (abc) <liuyang123@qq.com>
sub   rsa2048 2022-08-15 [E]

查看生成的密钥

[root@harbor ~]# gpg --list-keys liuyang123@qq.com
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   rsa2048 2022-08-15 [SC]
      35550116EFB799E49FCC05BD1A2266F0091C7834
uid           [ultimate] liuyang123@qq.com (abc) <liuyang123@qq.com>
sub   rsa2048 2022-08-15 [E]

选择一个镜像来实验签名

[root@harbor ~]# podman  pull docker.io/alpine:latest
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 59bf1c3509f3 done  
Copying config c059bfaa84 done  
Writing manifest to image destination
Storing signatures
c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
[root@harbor ~]# podman  images
REPOSITORY                            TAG         IMAGE ID      CREATED       SIZE
docker.io/library/alpine              latest      c059bfaa849c  8 months ago  5.87 MB
registry.fedoraproject.org/f29/httpd  latest      25c76f9dcdb5  3 years ago   482 MB

重新标记镜像指向harbor

[root@harbor ~]# podman  tag alpine 192.168.124.128/alpine:v1.1
[root@harbor ~]# podman  images
REPOSITORY                            TAG         IMAGE ID      CREATED       SIZE
192.168.124.128/alpine                v1.1        c059bfaa849c  8 months ago  5.87 MB
registry.fedoraproject.org/f29/httpd  latest      25c76f9dcdb5  3 years ago   482 MB

podman可以通过命令推送并对其进行签名,但需要配置注册表配置/etc/.containers/registries.d/default.yaml

[root@harbor ~]# vim /etc/containers/registries.d/default.yaml 
default-docker:
#  sigstore: file:///var/lib/containers/sigstore
  singtore: http:192.168.124.128:80
  sigstore-staging: file:///var/lib/containers/sigstore

标签:httpd,harbor,podman,签名,设置,--,root,usr
来源: https://www.cnblogs.com/TQingS/p/16590183.html