赞
踩
Podman 是一个无守护、开源的 Linux 本地工具,旨在使用 open Containers Initiative (OCI) 让容器和镜像更加方便地查找、运行、构建、共享和部署应用程序。Podman 提供了一个命令行接口(CLI),任何使用过 Docker 容器引擎的人都能很快上手 podman。大多数用户可以简单地将 Podman 别名为 Docker (alias Docker = Podman),没有任何问题。与其他常见的容器引擎 (Docker、CRI-O、containerd) 类似,Podman 依赖于符合 OCI 的容器运行时(runc、cron、runv等) 来与操作系统交互并创建运行的容器。这使得由 Podman 创建的正在运行的容器与由任何其他通用容器引擎创建的容器几乎没有区别。
Podman 的使用体验和 Docker 类似,不同的是 Podman 没有 daemon,以前使用 Docker CLI 的时候,Docker CLI 会通过 gRPC API 去跟 Docker Engine 说「我要启动一个容器」,然后 Docker Engine 才会通过 OCI Container runtime(默认是 runc)来启动一个容器。
这就意味着容器的进程不可能是 Docker CLI 的子进程,而是 Docker Engine 的子进程。
Podman 比较简单粗暴,它不使用 Daemon,而是直接通过 OCI runtime(默认也是 runc)来启动容器,所以容器的进程是 podman 的子进程。这比较像 Linux 的 fork/exec 模型,而 Docker 采用的是 C/S(客户端/服务器)模型。与 C/S 模型相比,fork/exec 模型有很多优势,比如:
docker 服务器
[root@docker ~]# ps -aux | grep docker
root 2449 6.2 4.7 1441992 87632 ? Ssl 10:16 0:01 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root 3502 0.0 0.0 12320 1048 pts/0 R+ 10:16 0:00 grep --color=auto docker
docker 启动了一个名为 dockerd 的守护进程。
podman 服务器
[root@podman ~]# ps -aux | grep podman
root 7279 0.0 0.0 112720 984 pts/0 S+ 15:00 0:00 grep --color=auto podman
可以看到,完全没有podman的进程相关的信息。
创建普通用户
[root@podman ~]# useradd demo
[root@podman ~]# passwd demo
[root@podman ~]# passwd demo
更改用户 demo 的密码 。
新的 密码:
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
docker 服务器
[root@docker ~]# su - demo
[demo@docker root]$ docker version
Client: Docker Engine - Community
Version: 20.10.11
API version: 1.41
Go version: go1.16.9
Git commit: dea9396
Built: Thu Nov 18 00:36:58 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version": dial unix /var/run/docker.sock: connect: permission denied(连接:权限被拒绝 )
// 需要提前将 demo 用户加入 /etc/sudoers
可以发现如果不加 sudo 是没有权限操作 docker 的。
podman 服务器
# 切换到demo用户
# su - demo // 需要使用 - ,不然会出现权限问题
# podman version
[root@podman ~]# su - demo
上一次登录:二 12月 14 15:25:04 CST 2021pts/0 上
[demo@podman ~]$ podman version
Version: 3.3.1
API Version: 3.3.1
Go Version: go1.16.7
Built: Wed Nov 10 05:23:56 2021
OS/Arch: linux/amd64
// 不需要加 sudo 都可以对 podman 进行操作。
Centos
[root@podman ~]# yum -y install podman
...安装过程略...
[root@podman ~]# rpm -qa | grep podman
podman-catatonit-3.3.1-9.module_el8.5.0+988+b1f0b741.x86_64
podman-3.3.1-9.module_el8.5.0+988+b1f0b741.x86_64
[root@podman ~]# podman version //查看podman版本
Version: 3.3.1
API Version: 3.3.1
Go Version: go1.16.7
Built: Wed Nov 10 05:23:56 2021
OS/Arch: linux/amd64
[root@podman ~]# podman images //使用podman命令测试
REPOSITORY TAG IMAGE ID CREATED SIZE
查看帮助: podman --help
[root@podman ~]# podman --help Manage pods, containers and images Usage: podman [options] [command] Available Commands: attach Attach to a running container auto-update Auto update containers according to their auto-update policy build Build an image using instructions from Containerfiles commit Create new image based on the changed container container Manage containers cp Copy files/folders between a container and the local filesystem create Create but do not start a container diff Display the changes to the object's file system events Show podman events exec Run a process in a running container export Export container's filesystem contents as a tar archive generate Generate structured data based on containers, pods or volumes. healthcheck Manage health checks on containers help Help about any command history Show history of a specified image image Manage images images List images in local storage import Import a tarball to create a filesystem image info Display podman system information init Initialize one or more containers inspect Display the configuration of object denoted by ID kill Kill one or more running containers with a specific signal load Load image(s) from a tar archive login Login to a container registry logout Logout of a container registry logs Fetch the logs of one or more containers machine Manage a virtual machine manifest Manipulate manifest lists and image indexes mount Mount a working container's root filesystem network Manage networks pause Pause all the processes in one or more containers play Play containers, pods or volumes from a structured file. pod Manage pods port List port mappings or a specific mapping for the container ps List containers pull Pull an image from a registry push Push an image to a specified destination rename Rename an existing container restart Restart one or more containers rm Remove one or more containers rmi Removes one or more images from local storage run Run a command in a new container save Save image(s) to an archive search Search registry for image secret Manage secrets start Start one or more containers stats Display a live stream of container resource usage statistics stop Stop one or more containers system Manage podman tag Add an additional name to a local image top Display the running processes of a container unmount Unmounts working container's root filesystem unpause Unpause the processes in one or more containers unshare Run a command in a modified user namespace untag Remove a name from a local image version Display the Podman Version Information volume Manage volumes wait Block on one or more containers Options: --cgroup-manager string Cgroup manager to use ("cgroupfs"|"systemd") (default "systemd") --cni-config-dir string Path of the configuration directory for CNI networks (default "/usr/libexec/cni") --conmon string Path of the conmon binary -c, --connection string Connection to use for remote Podman service --events-backend string Events backend to use ("file"|"journald"|"none") (default "file") --help Help for podman --hooks-dir strings Set the OCI hooks directory path (may be set multiple times) (default [/usr/share/containers/oci/hooks.d]) --identity string path to SSH identity file, (CONTAINER_SSHKEY) --log-level string Log messages above specified level (trace, debug, info, warn, warning, error, fatal, panic) (default "warn") --namespace string Set the libpod namespace, used to create separate views of the containers and pods on the system --network-cmd-path string Path to the command for configuring the network -r, --remote Access remote Podman service (default false) --root string Path to the root directory in which data, including images, is stored --runroot string Path to the 'run directory' where all state information is stored --runtime string Path to the OCI-compatible binary used to run containers, default is /usr/bin/runc --runtime-flag stringArray add global flags for the container runtime --storage-driver string Select which storage driver is used to manage storage of images and containers (default is overlay) --storage-opt stringArray Used to pass an option to the storage driver --syslog Output logging information to syslog as well as the console (default false) --tmpdir string Path to the tmp directory for libpod state content. Note: use the environment variable 'TMPDIR' to change the temporary storage location for container images, '/var/tmp'. --url string URL to access Podman service (CONTAINER_HOST) (default "unix:/run/podman/podman.sock") -v, --version version for podman
可以发现,使用方式可以说和 docker 的丝毫不差,不用担心从 docker 切换到 podman 会有不习惯的。如果不习惯使用 podman 命令,可以使用 alias docker=podman 来对docker命令做一个映射。
加速链接获取 详细请阅读docker 基本用法
默认镜像库 文件 /etc/containers/registries.conf 是设置镜像地址配置文件,默认会搜索 ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io', 'quay.io']等几个镜像库。 不过,这几个镜像库下载速度非常慢,可以说是基本无法顺利的将镜像拉下来。 所以,需要修改修改镜像库配置文件,也就是大家说的镜像加速方案。 镜像加速 只需2个步骤实现镜像加速: 1.改名并备份好文件:/etc/containers/registries.conf.bak 2.再新建一个空的 registries.conf 文件,插入如下内容 unqualified-search-registries = ["docker.io"] [[registry]] prefix = "docker.io" location = "******.mirror.aliyuncs.com" 3.修改 location 网易:https://hub-mirror.c.163.com/ 阿里云:https://<你的ID>.mirror.aliyuncs.com 4.保存
详细配置步骤如下:
# 修改podman镜像源(podman默认的镜像拉取镜像地址第一个是红帽的,从红帽去拉去,而且可能要都要涉及到红帽的一个付费用户才行的,最后一个才是正儿八经的docker的镜像仓库的源,所以把他这个顺序调整一下,把docker的镜像仓库的源调整到第一位置上去,如果不调整的话,他装软件他会优先跑到上去,结果红帽的连接不上去,就会导致安装特别慢) [root@localhost ~]# vim /etc/containers/registries.conf registries = ['docker.io','registry.access.redhat.com', 'registry.redhat.io'] # 镜像加速 ## 备份文件 [root@localhost ~]# cp /etc/containers/registries.conf /etc/containers/registries.conf.bak ## 编辑配置文件(直接删除或者注释掉之前的,或者以registries.conf命名的新文件,只需要这一段) [root@localhost ~]# vim /etc/containers/registries.conf unqualified-search-registries = ["docker.io"] [[registry]] prefix = "docker.io" location = "a74l47xi.mirror.aliyuncs.com"
配置完成后,试运行hello-world镜像:podman run hello-world
[root@podman ~]# podman run hello-world Resolved "hello-world" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf) Trying to pull docker.io/library/hello-world:latest... Getting image source signatures Copying blob 2db29710123e done Copying config feb5d9fea6 done Writing manifest to image destination Storing signatures Hello from Docker! This message shows that your installation appears to be working correctly. [root@podman ~]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/hello-world latest feb5d9fea6a5 2 months ago 19.9 kB
[root@podman ~]# podman ps -a //使用原命令查看镜像
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9b33fef81892 docker.io/library/hello-world:latest /hello 6 minutes ago Exited (0) 6 minutes ago zen_goldberg
[root@podman ~]# alias docker=podman //映射命令
[root@podman ~]# docker ps -a //使用docker 别名进行控制
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9b33fef81892 docker.io/library/hello-world:latest /hello 6 minutes ago Exited (0) 6 minutes ago zen_goldberg
在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置
cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,必须切换到备用OCI运行时crun。
安装crun
[root@podman ~]# yum -y install crun
使用–runtime选项在命令行中打开对cgroup V2的替代OCI运行时支持
podman --runtime crun
也可以修改containers.conf文件runtime = "runc"到runtime = “crun”
[root@podman ~]# vim /usr/share/containers/containers.conf
......
runtime = "crun" # 取消注释并将值改为crun
......
[root@podman ~]# podman run -d -p 80 docker.io/library/httpd
736c2146b807988538c700a207a45b1be50f4b3e8466b9cc57a68b4d7b5ea568
[root@podman ~]# podman inspect -l | grep crun
"OCIRuntime": "crun",
"crun",
slirp4nets包为普通用户提供一种网络模式
[root@podman ~]# yum -y install slirp4netns
在普通用户环境中使用Podman时,建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6。
[root@podman ~]# yum -y install fuse-overlayfs
配置storage.conf文件
[root@podman ~]# vim /etc/containers/storage.conf
......
mount_program = "/usr/bin/fuse-overlayfs" #取消注释
......
Podman要求运行它的用户在/etc/subuid和/etc/subgid文件中列出一系列UID,shadow-utils或newuid包提供这些文件
[root@podman ~]# cat /etc/subuid
demo:100000:65536
bus:165536:65536
[root@podman ~]# cat /etc/subgid
demo:100000:65536
bus:165536:65536
// 在/etc/subuid和/etc/subgid查看,每个用户的值必须唯一且没有任何重叠。
该文件的格式为USERNAME:UID:RANGE
三个主要的配置文件是container.conf,storage.conf和registries.conf。用户可以根据需要修改这些文件。
Podman读取时,按照循序来了,当前面一位找不到时,就去找下一个
1./usr/share/containers/containers.conf
2./etc/containers/containers.conf
3.$HOME/.config/containers/containers.conf
podman保存在本地的容器镜像和其运行容器的文件目录。
1./etc/containers/storage.conf
2.$HOME/.config/containers/storage.conf
在普通用户中/etc/containers/storage.conf的一些字段将被忽略
graphroot=``""`` ``container storage graph ``dir` `(default: ``"/var/lib/containers/storage"``)`` ``Default directory to store all writable content created by container storage programs.` `runroot=``""`` ``container storage run ``dir` `(default: ``"/run/containers/storage"``)`` ``Default directory to store all temporary writable content created by container storage programs.
在普通用户中默认
graphroot=``"$HOME/.local/share/containers/storage"``runroot=``"$XDG_RUNTIME_DIR/contai
配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改
1./etc/containers/registries.conf
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf
podman login 登录,默认授权文件在${XDG_RUNTIME_DIR}/containers/auth.json
[root@podman ~]# cat /run/user/0/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "********************="
}
}
}
// --filter=is-official:指定查找官方版本的httpd
[root@podman ~]# podman search httpd --filter=is-official
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/httpd The Apache HTTP Server Project 3794 [OK]
注意:Podman在不同的注册管理机构中搜索。因此,建议使用完整的映像名称(docker.io/library/httpd而不是httpd)来确保使用正确的映像
[root@podman ~]# podman pull docker.io/library/httpd Trying to pull docker.io/library/httpd:latest... Getting image source signatures Copying blob aa379c0cedc2 done Copying blob d3576f2b6317 done Copying blob f1aa5f54b226 done Copying blob bc36ee1127ec done Copying blob e5ae68f74026 done Copying config ea28e1b82f done Writing manifest to image destination Storing signatures ea28e1b82f314092abd3f90a69e57d6ccf506382821ee0b8d9b48c3e47440c1f // 当你不知道镜像准确位置,无法确定的时候,直接podman pull + 镜像名,然后上下滑动选择你要指定拉取镜像的位置 [root@podman ~]# podman pull nginx ? Please select an image: ▸ registry.fedoraproject.org/nginx:latest registry.access.redhat.com/nginx:latest registry.centos.org/nginx:latest docker.io/library/nginx:latest a74l47xi.mirror.aliyuncs.com/nginx:latest
[root@podman ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 11 days ago 146 MB
docker.io/library/httpd latest ea28e1b82f31 11 days ago 148 MB
docker.io/library/hello-world latest feb5d9fea6a5 2 months ago 19.9 kB
[root@podman ~]# podman run -d -p 80:80 docker.io/library/nginx:latest
8bd20084cb280f22a896356a6e20f64d2a912df967b8284011a0cb10c157ddcc
注意:由于容器在分离模式下运行,由命令中的 表示,Podman将在执行命令后打印容器ID。它还添加了一个伪 tty,用于在交互式 shell 中运行任意命令。-d``podman run``-t
注意:我们使用端口转发来访问HTTP服务器。要成功运行,至少需要 slirp4netns v0.3.0。
在浏览器上访问刚刚运行的容器
[root@podman ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9b33fef81892 docker.io/library/hello-world:latest /hello 35 minutes ago Exited (0) 35 minutes ago zen_goldberg
8bd20084cb28 docker.io/library/nginx:latest nginx -g daemon o... 22 seconds ago Up 22 seconds ago 0.0.0.0:80->80/tcp ecstatic_keldysh
测试nginx容器是否正常
[root@podman ~]# curl 192.168.58.100
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
检查"正在运行的容器,以查找有关其自身的元数据和详细信息。 将提供许多有用的信息,如环境变量,网络设置或分配的资源。podman inspect
由于容器在root模式下运行,因此会为容器分配 IP 地址
[root@podman ~]# podman inspect -l |grep -i ipaddress
"IPAddress": "10.88.0.5",
"IPAddress": "10.88.0.5",
[root@podman ~]# podman logs -l /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf 10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh /docker-entrypoint.sh: Configuration complete; ready for start up 2021/12/14 09:16:00 [notice] 1#1: using the "epoll" event method 2021/12/14 09:16:00 [notice] 1#1: nginx/1.21.4 2021/12/14 09:16:00 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6) 2021/12/14 09:16:00 [notice] 1#1: OS: Linux 4.18.0-305.3.1.el8.x86_64 2021/12/14 09:16:00 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576 2021/12/14 09:16:00 [notice] 1#1: start worker processes 2021/12/14 09:16:00 [notice] 1#1: start worker process 26 192.168.58.100 - - [14/Dec/2021:09:17:08 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.61.1" "-"
[root@podman ~]# podman stats -l
ID NAME CPU % MEM USAGE / LIMIT MEM % NET IO BLOCK IO PIDS CPU TIME AVG CPU %
25792d84fd4d pensive_lewin -- 12.13MB / 3.89GB 0.31% 978B / 1.604kB -- / -- 2 60.785945ms 5.30%
显示容器正在运行的进程
1.默认情况下,podman-top打印的数据类似ps -ef: [root@podman ~]# podman top -l USER PID PPID %CPU ELAPSED TTY TIME COMMAND root 1 0 0.000 7m23.493485467s ? 0s nginx: master process nginx -g daemon off; nginx 26 1 0.000 7m23.507132661s ? 0s nginx: worker process 2.可以通过在容器后面指定格式描述符作为参数来控制输出: [root@podman ~]# podman top -l pid seccomp args %C PID SECCOMP COMMAND %CPU 1 filter nginx: master process nginx -g daemon off; 0.000 26 filter nginx: worker process 0.000 [root@podman ~]# podman top -l pid seccomp state args %C PID SECCOMP STATE COMMAND %CPU 1 filter S nginx: master process nginx -g daemon off; 0.000 26 filter S nginx: worker process 0.000
[root@podman ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8bd20084cb28 docker.io/library/nginx:latest nginx -g daemon o... 22 seconds ago Up 22 seconds ago 0.0.0.0:80->80/tcp ecstatic_keldysh
[root@podman ~]# podman stop -l
8bd20084cb280f22a896356a6e20f64d2a912df967b8284011a0cb10c157ddcc
[root@podman ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8bd20084cb28 docker.io/library/nginx:latest nginx -g daemon o... 9 minutes ago Exited (0) 18 seconds ago 0.0.0.0:80->80/tcp ecstatic_keldysh
删除容器
[root@podman ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8bd20084cb28 docker.io/library/nginx:latest nginx -g daemon o... 9 minutes ago Exited (0) 18 seconds ago 0.0.0.0:80->80/tcp ecstatic_keldysh
[root@podman ~]# docker rm -l
8bd20084cb280f22a896356a6e20f64d2a912df967b8284011a0cb10c157ddcc
[root@podman ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@podman ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 11 days ago 146 MB
docker.io/library/httpd latest ea28e1b82f31 11 days ago 148 MB
docker.io/library/hello-world latest feb5d9fea6a5 2 months ago 19.9 kB
[root@podman ~]# podman tag docker.io/library/nginx:latest docker.io/test
[root@podman ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 11 days ago 146 MB
docker.io/library/test latest f652ca386ed1 11 days ago 146 MB
docker.io/library/httpd latest ea28e1b82f31 11 days ago 148 MB
docker.io/library/hello-world latest feb5d9fea6a5 2 months ago 19.9 kB
podman容器联网的指导因素之一将是容器是否由root用户运行。这是因为非特权用户无法在主机上创建网络接口。因此,对于rootfull容器,默认网络模式是使用容器网络接口(CNI)插件,特别是桥接插件。对于rootless,默认的网络模式是slir4netns。由于权限有限,slirnetns缺少CNI组网的一些功能;例如,slirp4netns无法为容器提供可路由的IP地址。cni是容器网络接口。
三部曲
[root@podman ~]# podman network create new // 创建
/etc/cni/net.d/new.conflist
[root@podman ~]# podman network ls //查看
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
11507a0e2f5e new 0.4.0 bridge,portmap,firewall,tuning
修改/etc/cni/net.d/mynetwork.conflist 配置文件
{ "cniVersion": "0.4.0", //cni 版本 "name": "new", //网络名 "plugins": [ { "type": "bridge", //类型 "bridge": "cni-podman1", "isGateway": true, "ipMasq": true, "hairpinMode": true, "ipam": { "type": "host-local", "routes": [ { "dst": "0.0.0.0/0" } ], "ranges": [ [ { "subnet": "192.168.59.0/24", //修改网段 "gateway": "192.168.59.1" //修改网关 } ] ] } }, { "type": "portmap", "capabilities": { "portMappings": true } }, { "type": "firewall", "backend": "" }, { "type": "tuning" } ] }
修改/usr/share/containers/containers.conf 将其为默认网络
[root@podman ~]# vim /usr/share/containers/containers.conf
.......
# The network name of the default CNI network to attach pods to.
#
default_network = "new" # 添加此行
#default_network = "podman"
.......
创建容器检测
[root@podman ~]# podman run -dit --name new busybox 9b8040d10e1ef193b5944cdf4c028e48324f57d09228c87a2a1bc299becd8c44 [root@podman ~]# podman exec -it new /bin/sh / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether fe:b1:ec:61:cb:c4 brd ff:ff:ff:ff:ff:ff inet 192.168.59.2/24 brd 192.168.59.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::fcb1:ecff:fe61:cbc4/64 scope link valid_lft forever preferred_lft forever / # ping baidu.com //测试是否能与外网联通 PING baidu.com (220.181.38.251): 56 data bytes 64 bytes from 220.181.38.251: seq=0 ttl=127 time=59.113 ms 64 bytes from 220.181.38.251: seq=1 ttl=127 time=75.623 ms 64 bytes from 220.181.38.251: seq=2 ttl=127 time=61.185 ms
防火墙的作用不会影响网络的设置和配置,但会影响这些网络上的流量。最明显的是容器主机的入站网络流量,这些流量通常通过端口映射传递到容器上。根据防火墙的实现,我们观察到防火墙端口由于运行带有端口映射的容器(例如)而自动打开。如果容器流量似乎无法正常工作,请检查防火墙并允许容器正在使用的端口号上的流量。一个常见的问题是重新加载防火墙会删除cni iptables规则,从而导致rootful容器的网络连接丢失。podman v3提供了podman network reload命令来恢复它而无需重新启动容器。
[root@podman ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 182 packets, 15049 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 3 packets, 156 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 373 packets, 27366 bytes) pkts bytes target prot opt in out source destination 3 194 CNI-0e18d45e43c67d5edd08e6eb all -- * * 192.168.59.2 0.0.0.0/0 /* name: "new" id: "9b8040d10e1ef193b5944cdf4c028e48324f57d09228c87a2a1bc299becd8c44" */ Chain OUTPUT (policy ACCEPT 373 packets, 27366 bytes) pkts bytes target prot opt in out source destination // 目前只能看见刚刚创建的网络网卡映射
运行一个容器,映射80端口
[root@podman ~]# podman run -d -p 80:80 --name nginx nginx // 此处直接使用nginx,是因为上面配置了docker.io
bb055ae633424d1b2cc0155e1d18f99b6cf06ed91ec50c3244dfc6080e7264d8
[root@podman ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9b8040d10e1e docker.io/library/busybox:latest sh 8 minutes ago Up 8 minutes ago new
bb055ae63342 docker.io/library/nginx:latest nginx -g daemon o... 9 seconds ago Up 9 seconds ago 0.0.0.0:80->80/tcp nginx
此时再查看防火墙规则
[root@podman ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 183 packets, 15278 bytes) pkts bytes target prot opt in out source destination 0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL ...... Chain CNI-HOSTPORT-DNAT (2 references) pkts bytes target prot opt in out source destination 0 0 CNI-DN-2970caf0153c64b6b4070 tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "new" id: "bb055ae633424d1b2cc0155e1d18f99b6cf06ed91ec50c3244dfc6080e7264d8" */ multiport dports 80 Chain CNI-DN-2970caf0153c64b6b4070 (1 references) pkts bytes target prot opt in out source destination 0 0 CNI-HOSTPORT-SETMARK tcp -- * * 192.168.59.0/24 0.0.0.0/0 tcp dpt:80 0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.59.3:80 //发现80端口
过滤容器ip,验证是否正常服务
[root@podman ~]# podman inspect -l| grep -i address
"IPAddress": "192.168.59.3",
"GlobalIPv6Address": "",
"MacAddress": "06:9c:65:a5:b8:2c",
"LinkLocalIPv6Address": "",
"IPAddress": "192.168.59.3",
"GlobalIPv6Address": "",
"MacAddress": "06:9c:65:a5:b8:2c",
[root@podman ~]# curl 192.168.59.3
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
......
三部曲
[root@podman ~]# iptables -t nat -F
[root@podman ~]# iptables --flush
[root@podman ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 183 packets, 15278 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 3 packets, 156 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 384 packets, 28186 bytes)
pkts bytes target prot opt in out source destination
重载规则
[root@podman ~]# podman network reload nginx bb055ae633424d1b2cc0155e1d18f99b6cf06ed91ec50c3244dfc6080e7264d8 [root@podman ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 184 packets, 15507 bytes) pkts bytes target prot opt in out source destination 0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT 3 packets, 156 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 385 packets, 28246 bytes) pkts bytes target prot opt in out source destination 0 0 CNI-HOSTPORT-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd requiring masquerade */ 0 0 CNI-2970caf0153c64b6b40709d5 all -- * * 192.168.59.3 0.0.0.0/0 /* name: "new" id: ........ Chain CNI-HOSTPORT-DNAT (2 references) pkts bytes target prot opt in out source destination 0 0 CNI-DN-2970caf0153c64b6b4070 tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "new" id: "bb055ae633424d1b2cc0155e1d18f99b6cf06ed91ec50c3244dfc6080e7264d8" */ multiport dports 80
三部曲
创建一个httpd容器
[root@podman ~]# podman run -tid --name httpd httpd b933913e28d570caa62ed7f0a70189f853fe263f8b3593e177bba13f8cf6661f [root@podman ~]# podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES b933913e28d5 docker.io/library/httpd:latest httpd-foreground 4 seconds ago Up 4 seconds ago httpd [root@podman ~]# podman generate systemd --files --name httpd //生成service文件 /root/container-httpd.service [root@podman ~]# ls anaconda-ks.cfg container-httpd.service [root@podman ~]# cat container-httpd.service # container-httpd.service # autogenerated by Podman 3.3.1 # Wed Dec 15 18:06:31 CST 2021 [Unit] Description=Podman container-httpd.service Documentation=man:podman-generate-systemd(1) Wants=network-online.target After=network-online.target RequiresMountsFor=/run/containers/storage [Service] Environment=PODMAN_SYSTEMD_UNIT=%n Restart=on-failure TimeoutStopSec=70 ExecStart=/usr/bin/podman start httpd ExecStop=/usr/bin/podman stop -t 10 httpd ExecStopPost=/usr/bin/podman stop -t 10 httpd PIDFile=/run/containers/storage/overlay-containers/b933913e28d570caa62ed7f0a70189f853fe263f8b3593e177bba13f8cf6661f/userdata/conmon.pid
将container-httpd.service 放置/usr/lib/systemd/system/中
[root@podman ~]# mv container-httpd.service /usr/lib/systemd/system/
设置服务自启动
[root@podman ~]# systemctl status container-httpd // 查看服务状态 ● container-httpd.service - Podman container-httpd.service Loaded: loaded (/usr/lib/systemd/system/container-httpd.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: man:podman-generate-systemd(1) [root@podman ~]# systemctl enable --now container-httpd //设置自启动 Created symlink /etc/systemd/system/multi-user.target.wants/container-httpd.service → /usr/lib/systemd/system/container-httpd.service. Created symlink /etc/systemd/system/default.target.wants/container-httpd.service → /usr/lib/systemd/system/container-httpd.service. [root@podman ~]# systemctl status container-httpd ● container-httpd.service - Podman container-httpd.service Loaded: loaded (/usr/lib/systemd/system/container-httpd.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2021-12-15 18:08:05 CST; 2s ago Docs: man:podman-generate-systemd(1) Process: 234637 ExecStart=/usr/bin/podman start httpd (code=exited, status=0/SUCCESS) Main PID: 230398 (conmon) Tasks: 0 (limit: 23493) Memory: 8.0K CGroup: /system.slice/container-httpd.service ‣ 230398 /usr/bin/conmon --api-version 1 -c b933913e28d570caa62ed7f0a70189f853fe263f8b3593e177bba13f8cf6661f -u b933913e28d57 [root@podman ~]# reboot //验证
非根用户容器开机自启
## 使用ssh的方式连接到普通用户 [root@localhost ~]# ssh demo@192.168.58.100 非root用户只能映射1024以上的端口,1024以下的端口只能root用户映射 [demo@podman ~]$ podman run -dit --name nginx nginx //运行容器 Resolving "nginx" using unqualified-search registries (/etc/containers/registries.conf) Trying to pull docker.io/library/nginx:latest... Getting image source signatures Copying blob 21e0df283cd6 done Copying blob 881ff011f1c9 done Copying blob 44be98c0fab6 done Copying blob ed835de16acd done Copying blob 77700c52c969 done Copying blob e5ae68f74026 done Copying config f652ca386e done Writing manifest to image destination Storing signatures bd6e94a3bab50cec23293241021ca18ce89ef801d7b9959e8ce1a4d0092b07f7 [demo@podman user]$ podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7bb3f496d4ea docker.io/library/nginx:latest nginx -g daemon o... 6 minutes ago Up 6 minutes ago nginx [demo@podman ~]$ mkdir -p ~/.config/systemd/user //创建用户目录 [demo@podman ~]$ podman generate systemd --name nginx --files --new //生成service文件 /home/demo/container-nginx.service [demo@podman ~]$ mv container-nginx.service ~/.config/systemd/user //移动至用户目录中 [demo@podman ~]$ podman stop nginx ## 停止容器 // 重新加载服务,设置开机自启,无根用户启动时需要加上--user [demo@podman ~]$ systemctl --user daemon-reload [demo@podman ~]$ systemctl --user enable container-nginx.service --now Created symlink /home/demo/.config/systemd/user/multi-user.target.wants/container-nginx.service → /home/demo/.config/systemd/user/container-nginx.service. Created symlink /home/demo/.config/systemd/user/default.target.wants/container-nginx.service → /home/demo/.config/systemd/user/container-nginx.service. [demo@podman ~]$ systemctl --user status container-nginx.service ● container-nginx.service - Podman container-nginx.service Loaded: loaded (/home/demo/.config/systemd/user/container-nginx.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2021-12-15 18:43:29 CST; 6s ago Docs: man:podman-generate-systemd(1) Process: 296286 ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=/run/user/1000/container-nginx.service.ctr-id (code=exited, status=125) Process: 296334 ExecStartPre=/bin/rm -f /run/user/1000/container-nginx.service.ctr-id (code=exited, status=0/SUCCESS) Main PID: 296415 (conmon) CGroup: /user.slice/user-1000.slice/user@1000.service/container-nginx.service ├─296409 /usr/bin/fuse-overlayfs -o ,lowerdir=/home/demo/.local/share/containers/storage/overlay/l/ROBNVTFSKM43LHYXD2IFKZ4F2H:/home/demo/.loca> ├─296412 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1> ├─296415 /usr/bin/conmon --api-version 1 -c 79a48c9eee7854810a5ef096b0289cbe05488085353db3f78b2b916ead9bbaa7 -u 79a48c9eee7854810a5ef096b0289c> ├─296418 nginx: master process nginx -g daemon off; └─296444 nginx: worker process
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。