其他分享
首页 > 其他分享> > podman无根模式

podman无根模式

作者:互联网


目录

podman无根模式

在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置

cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroupV2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroupV2,必须切换到备用OCI运行时crun

[root@localhost ~]# yum -y install crun     //centos8系统自带
[root@localhost ~]# vim /usr/share/containers/containers.conf 
runtime = "crun"      
#runtime = "runc"
[root@localhost ~]# podman run -d --name web -p 8088:80 httpd
c38887b81d73e7b4ae511c68ddee01fc753d8b902380c4bb8da9dfcf1457fa76
[root@localhost ~]# 
[root@localhost ~]# podman ps 
CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS            PORTS                 NAMES
c38887b81d73  docker.io/library/httpd:latest  httpd-foreground  5 seconds ago  Up 5 seconds ago  0.0.0.0:8088->80/tcp  web
[root@localhost ~]# podman inspect web |grep crun
        "OCIRuntime": "crun",
            "crun",

在普通用户环境中使用Podman时,建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6。现在新版本默认就是了。

[root@localhost ~]# vi /etc/containers/storage.conf 
mount_program = "/usr/bin/fuse-overlayfs"   //取消注释

/etc/subuid和/etc/subgid配置
Podman要求运行它的用户在/ etc / subuid和/ etc / subgid文件中列出一系列UID,shadow-utils或newuid包提供这些文件

[root@localhost ~]# useradd zz
[root@localhost ~]# cat /etc/subuid
zz:100000:65536
[root@localhost ~]# cat /etc/subgid
zz:100000:65536

// 启动非特权ping 
[root@localhost ~]# vim /etc/sysctl.conf
net.ipv4.ping_group_range=0 300000

这个文件的格式是 USERNAME:UID:RANGE中/etc/passwd或输出中列出的用户名getpwent。

[root@localhost ~]# useradd hh
[root@localhost ~]# cat /etc/subuid
zz:100000:65536
hh:165536:65536
[root@localhost ~]# usermod --del-subuids 165536-231072 --del-subgids 165536-231072 hh 
[root@localhost ~]# cat /etc/subuid
zz:100000:65536
[root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 hh
[root@localhost ~]# cat /etc/subuid
zz:100000:65536
hh:200000:1001

用户配置文件

三个主要的配置文件是container.conf、storage.conf和registries.conf。用户可以根据需要修改这些文件。
container.conf

[root@localhost ~]# cat /usr/share/containers/containers.conf
[root@localhost ~]# cat /etc/containers/containers.conf
[root@localhost ~]# cat ~/.config/containers/containers.conf  //优先级最高

storage.conf

1./etc/containers/storage.conf
2.$HOME/.config/containers/storage.conf

registries.conf

1./etc/containers/registries.conf
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf

普通用户和root用户是看不到对方的镜像的

//root用户
[root@localhost ~]# podman images
REPOSITORY                            TAG         IMAGE ID      CREATED       SIZE
docker.io/library/httpd               latest      f2a976f932ec  2 weeks ago   149 MB
docker.io/library/busybox             latest      7a80323521cc  2 weeks ago   1.47 MB
localhost/zzking1/busybox             v0.1        7a80323521cc  2 weeks ago   1.47 MB
docker.io/library/alpine              latest      c059bfaa849c  8 months ago  5.87 MB
192.168.26.132/apline                 v0.1        c059bfaa849c  8 months ago  5.87 MB
registry.fedoraproject.org/f29/httpd  latest      25c76f9dcdb5  3 years ago   482 MB
//普通用户
[root@localhost ~]# su - zz
[zz@localhost ~]$ podman images
REPOSITORY  TAG         IMAGE ID    CREATED     SIZE

使用卷

[root@localhost ~]# su - zz
Last login: Tue Aug 16 18:18:28 CST 2022 on pts/0
[zz@localhost ~]$ pwd
/home/zz
[zz@localhost ~]$ mkdir /home/zz/data
[zz@localhost ~]$ podman run -it --name z1 -v /home/zz/data/:/data:Z busybox /bin/sh
/ # ls
bin   data  dev   etc   home  proc  root  run   sys   tmp   usr   var
/ # cd data/
/data # ls
/data # touch 123
/data # ls -l
total 0
-rw-r--r--    1 root     root             0 Aug 16 10:25 123

在主机上查看

[zz@localhost ~]$ ll data/
total 0
-rw-r--r--. 1 zz zz 0 Aug 16 18:25 123
[zz@localhost ~]$ echo "hell world" >> 123
[zz@localhost ~]$ cat 123 
hell world

容器里查看

/data # cat 123 
hell world
//我们可以发现在容器里面的文件的属主和属组都属于root,那么如何才能让其属于tom用户呢?下面告诉你答案
/data # ls -l
total 4
-rw-rw-r--    1 root     root            11 Aug 16 10:37 123
//只要在运行容器的时候加上一个--userns=keep-id即可
[zz@localhost ~]$ podman run -it --name z1 -v /home/zz/data/:/data:Z  --userns=keep-id busybox /bin/sh
~ $ cd data/
/data $ ls -l
total 4
-rw-rw-r--    1 zz       zz              11 Aug 16 10:37 123

使用普通用户映射容器端口时会报“ permission denied”的错误

[zz@localhost ~]$ podman run -d -p 80:80 httpd
Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied

配置echo ‘net.ipv4.ip_unprivileged_port_start=80’ >> /etc/sysctl.conf后可以映射大于等于80的端口

[root@localhost ~]# vim /etc/sysctl.conf 
net.ipv4.ip_unprivileged_port_start=80
[root@localhost ~]# sysctl -p
net.ipv4.ping_group_range = 0 300000
net.ipv4.ip_unprivileged_port_start = 80
[zz@localhost ~]$ podman run -d -p 80:80 httpd
60fbbe2db63ce8c23f5d779ed3aadc69ad8184d7c21cd2621f0c22a33fffb6dc
[zz@localhost ~]$ ss -anlt
State   Recv-Q  Send-Q    Local Address:Port     Peer Address:Port  Process  
LISTEN  0       128             0.0.0.0:22            0.0.0.0:*              
LISTEN  0       128             0.0.0.0:8088          0.0.0.0:*              
LISTEN  0       128                   *:80                  *:*              
LISTEN  0       128                [::]:22               [::]:*  

普通用户可以映射>= 1024的端口

[zz@localhost ~]$ podman run -d -p 1024:80 httpd
d5a67001083d481e1f2dafc9bb367f1f0d6482795ce4a6ef2b6ee1e0f9ecaa20
[zz@localhost ~]$ ss -antl
State   Recv-Q  Send-Q    Local Address:Port     Peer Address:Port  Process  
LISTEN  0       128             0.0.0.0:22            0.0.0.0:*              
LISTEN  0       128             0.0.0.0:8088          0.0.0.0:*              
LISTEN  0       128                   *:80                  *:*              
LISTEN  0       128                [::]:22               [::]:*              
LISTEN  0       128                   *:1024                *:*   

标签:conf,etc,0.0,模式,podman,zz,无根,root,localhost
来源: https://www.cnblogs.com/z696/p/16592677.html