podman的基本设置与podman签名
作者:互联网
目录
podman的基本设置和使用
//注:因为只有一个容器所有使用的-l参数
创建一个容器并放在后台运行做一个端口映射 -p
[root@harbor harbor]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
> -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
> -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
> registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd
列出正在运行的容器
[root@harbor harbor]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
33ff21ebe11a registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 7 seconds ago Up 8 seconds ago 0.0.0.0:8080->8080/tcp peaceful_mendel
查看最后一个容器的详细信息并过滤他的IDPAddress的关键字
-l 是指定对最新一个容器操作
[root@harbor harbor]# podman inspect -l | grep -i ipaddress
"IPAddress": "10.88.0.2",
"IPAddress": "10.88.0.2",
测试httpd服务器
[root@harbor harbor]# curl http://localhost:8080 |head -10
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 4650 100 4650 0 0 908k 0 --:--:-- --:--:-- --:--:-- 908k
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test Page for the Apache HTTP Server on Fedora</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
/*<![CDATA[*/
body {
background-color: #fff;
查看容器的日志信息
[root@harbor harbor]# podman logs -l |head -5
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.2. Set the 'ServerName' directive globally to suppress this message
[Mon Aug 15 10:41:07.067613 2022] [ssl:warn] [pid 1:tid 140505771904384] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1b FIPS 26 Feb 2019, version currently loaded is OpenSSL 1.1.1 FIPS 11 Sep 2018) - may result in undefined or erroneous behavior
查看容器的pid
[root@harbor harbor]# podman top -l
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
default 1 0 0.000 4m55.80820748s pts/0 0s httpd -D FOREGROUND
default 22 1 0.000 4m55.808340444s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 23 1 0.000 4m55.80838719s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 24 1 0.000 4m55.808485643s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 25 1 0.000 4m55.808565767s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 26 1 0.000 4m55.808682968s pts/0 0s httpd -D FOREGROUND
default 27 1 0.000 4m55.808730488s pts/0 0s httpd -D FOREGROUND
default 28 1 0.000 4m55.808838997s pts/0 0s httpd -D FOREGROUND
default 29 1 0.000 4m55.808885803s pts/0 0s httpd -D FOREGROUND
对容器执行检查点操作 //检查点操作与快照类似
[root@harbor harbor]# podman container checkpoint -l
33ff21ebe11a4bd90144c144f5bc54d7ae816ced96263c5309dc5fc677cf2a7d
还原容器,容器还是可以访问到8080
[root@harbor harbor]# podman container restore -l
33ff21ebe11a4bd90144c144f5bc54d7ae816ced96263c5309dc5fc677cf2a7d
[root@harbor harbor]# curl http://192.168.124.128:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test Page for the Apache HTTP Server on Fedora</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
迁移容器
在源主机上 将这个检查的移入到/tmp/checkpoint.tar.gz这个文件中
把这个文件传给192.168.124.131的/tmp目录
[root@harbor harbor]# podman container checkpoint 33ff21ebe11a -e /tmp/checkpoint.tar.gz
33ff21ebe11a4bd90144c144f5bc54d7ae816ced96263c5309dc5fc677cf2a7d
[root@harbor tmp]# scp /tmp/checkpoint.tar.gz 192.168.124.189:/tmp
The authenticity of host '192.168.124.189 (192.168.124.131)' can't be established.
ECDSA key fingerprint is SHA256:FMabC/Kpc+qAFd7ELELgxLLvdOO0KJzdrhZURx+EMHQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.124.189' (ECDSA) to the list of known hosts.
root@192.168.124.189's password:
checkpoint.tar.gz 100% 1225KB 125.4MB/s 00:00
目的容器
[root@YL ~]# podman container restore -i /tmp/checkpoint.tar.gz
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob 7692efc5f81c done
Copying blob d77ff9f653ce done
Copying blob aaf5ad2e1aa3 done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
33ff21ebe11a4bd90144c144f5bc54d7ae816ced96263c5309dc5fc677cf2a7d
[root@YL ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
33ff21ebe11a registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... About a minute ago Up About a minute ago 0.0.0.0:8080->8080/tcp peaceful_mendel
停止容器
[root@harbor ~]# podman stop -l
33ff21ebe11a4bd90144c144f5bc54d7ae816ced96263c5309dc5fc677cf2a7d
列出所有容器
[root@harbor ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
33ff21ebe11a registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 4 hours ago Exited (0) 4 hours ago 0.0.0.0:8080->8080/tcp peaceful_mendel
移除容器
[root@harbor ~]# podman rm -l
33ff21ebe11a4bd90144c144f5bc54d7ae816ced96263c5309dc5fc677cf2a7d
签名和分发
生成gpg密钥
[root@harbor ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want: //选择想要的密钥类型
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long. //RSA密钥的长度在1024-4096之间
What keysize do you want? (2048) //你想要的密钥大小
Requested keysize is 2048 bits
Please specify how long the key should be valid. //指定密钥的有效期
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: liuyang123@qq.com
Email address: liuyang123@qq.com
Comment: abc
You selected this USER-ID:
"liuyang123@qq.com (abc) <liuyang123@qq.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 1A2266F0091C7834 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/35550116EFB799E49FCC05BD1A2266F0091C7834.rev'
public and secret key created and signed.
pub rsa2048 2022-08-15 [SC]
35550116EFB799E49FCC05BD1A2266F0091C7834
uid liuyang123@qq.com (abc) <liuyang123@qq.com>
sub rsa2048 2022-08-15 [E]
查看生成的密钥
[root@harbor ~]# gpg --list-keys liuyang123@qq.com
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub rsa2048 2022-08-15 [SC]
35550116EFB799E49FCC05BD1A2266F0091C7834
uid [ultimate] liuyang123@qq.com (abc) <liuyang123@qq.com>
sub rsa2048 2022-08-15 [E]
选择一个镜像来实验签名
[root@harbor ~]# podman pull docker.io/alpine:latest
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 59bf1c3509f3 done
Copying config c059bfaa84 done
Writing manifest to image destination
Storing signatures
c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
[root@harbor ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
registry.fedoraproject.org/f29/httpd latest 25c76f9dcdb5 3 years ago 482 MB
重新标记镜像指向harbor
[root@harbor ~]# podman tag alpine 192.168.124.128/alpine:v1.1
[root@harbor ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.124.128/alpine v1.1 c059bfaa849c 8 months ago 5.87 MB
registry.fedoraproject.org/f29/httpd latest 25c76f9dcdb5 3 years ago 482 MB
podman可以通过命令推送并对其进行签名,但需要配置注册表配置/etc/.containers/registries.d/default.yaml
[root@harbor ~]# vim /etc/containers/registries.d/default.yaml
default-docker:
# sigstore: file:///var/lib/containers/sigstore
singtore: http:192.168.124.128:80
sigstore-staging: file:///var/lib/containers/sigstore
标签:httpd,harbor,podman,签名,设置,--,root,usr 来源: https://www.cnblogs.com/TQingS/p/16590183.html