podman简介

Podman是一个开源项目,可在大多数Linux平台上使用并开源在GitHub上。Podman是一个无守护进程的容器引擎,用于在Linux系统上开发,管理和运行Open Container Initiative(OCI)容器和容器镜像。Podman提供了一个与Docker兼容的命令行前端,它可以简单地作为Docker cli,简单地说你可以直接添加别名:alias docker = podman来使用podman。

Podman控制下的容器可以由root用户运行,也可以由非特权用户运行。Podman管理整个容器的生态系统,其包括pod,容器,容器镜像,和使用libpod library的容器卷。Podman专注于帮助您维护和修改OCI容器镜像的所有命令和功能,例如拉取和标记。它允许您在生产环境中创建,运行和维护从这些映像创建的容器。

  1. Podman 官网地址:https://podman.io/
  2. Podman 项目地址:https://github.com/containers/libpod

 

 

 安装podman

复制代码
//配置yum源
[root@ansible ~]# curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo
[root@ansible ~]# sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
[root@ansible ~]# sed  -i 's#\$releasever#8#g'  /etc/yum.repos.d/CentOS-Base.repo
[root@ansible ~]# yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-8.noarch.rpm
[root@ansible ~]# sed -i 's|^#baseurl=https://download.fedoraproject.org/pub|baseurl=https://mirrors.aliyun.com|' /etc/yum.repos.d/epel*
[root@ansible ~]# sed -i 's|^metalink|#metalink|' /etc/yum.repos.d/epel*
[root@ansible ~]# sed  -i 's#\$releasever#8#g'  /etc/yum.repos.d/epel.repo

//用yum安装podman
[root@RedHat ~]# yum -y install podman
复制代码

 

复制代码
//配置加速器
[root@RedHat containers]# cp registries.conf{,.ori} 
[root@RedHat containers]# grep -v "^#" registries.conf.ori > registries.conf
[root@RedHat containers]# vim registries.conf

unqualified-search-registries = ["docker.io"]
  
[[registry]]
prefix= 'docker.io'
location= 'xxxx.mirror.swr.myhuaweicloud.com'
复制代码

 

复制代码
//podman拉取镜像
[root@RedHat containers]# podman pull busybox
Completed short name "busybox" with unqualified-search registries (origin: /etc/containers/registries.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob e5d9363303dd done  
Copying config b97242f89c done  
Writing manifest to image destination
Storing signatures
b97242f89c8a29d13aea12843a08441a4bbfc33528f55b60366c1d8f6923d0d4
[root@RedHat containers]# podman images
REPOSITORY                 TAG     IMAGE ID      CREATED      SIZE
docker.io/library/busybox  latest  b97242f89c8a  8 weeks ago  1.45 MB
复制代码

 

//podman查看镜像
[root@RedHat containers]# podman images
REPOSITORY                 TAG     IMAGE ID      CREATED      SIZE
docker.io/library/busybox  latest  b97242f89c8a  8 weeks ago  1.45 MB

 

//podman删除镜像
[root@RedHat containers]# podman rmi docker.io/library/busybox:latest
Untagged: docker.io/library/busybox:latest
Deleted: b97242f89c8a29d13aea12843a08441a4bbfc33528f55b60366c1d8f6923d0d4

 

复制代码
//root用户拉取的镜像在其他用户登录宿主机的时候是看不到的
[root@RedHat ~]# podman images
REPOSITORY                 TAG     IMAGE ID      CREATED      SIZE
docker.io/library/busybox  latest  b97242f89c8a  8 weeks ago  1.45 MB

[jerry@RedHat ~]$ id
uid=1000(jerry) gid=1000(jerry) 组=1000(jerry) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[jerry@RedHat ~]$ podman images
REPOSITORY  TAG     IMAGE ID  CREATED  SIZE
复制代码

 

复制代码
//相反,jerry用户拉取地镜像root也没有
[jerry@RedHat ~]$ podman pull nginx
Completed short name "nginx" with unqualified-search registries (origin: /etc/containers/registries.conf)
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob f72584a26f32 done  
Copying blob a076a628af6f done  
Copying blob 0732ab25fa22 done  
Copying blob 7125e4df9063 done  
Copying blob d7f36f6fe38f done  
Copying config f6d0b4767a done  
Writing manifest to image destination
Storing signatures
f6d0b4767a6c466c178bf718f99bea0d3742b26679081e52dbf8e0c7c4c42d74
[jerry@RedHat ~]$ podman images
REPOSITORY               TAG     IMAGE ID      CREATED      SIZE
docker.io/library/nginx  latest  f6d0b4767a6c  8 weeks ago  137 MB

[root@RedHat ~]# podman images
REPOSITORY                 TAG     IMAGE ID      CREATED      SIZE
docker.io/library/busybox  latest  b97242f89c8a  8 weeks ago  1.45 MB
复制代码

 

复制代码
//在jerry用户中创建的容器在root里看不到
[jerry@RedHat ~]$ podman run -it nginx /bin/sh
# ls
bin   dev           docker-entrypoint.sh  home  lib64  mnt  proc  run   srv  tmp  var
boot  docker-entrypoint.d  etc             lib   media  opt  root  sbin  sys  usr
# exit   
[jerry@RedHat ~]$ podman ps -a
CONTAINER ID  IMAGE                           COMMAND  CREATED         STATUS                    PORTS   NAMES
f7281ca4a884  docker.io/library/nginx:latest  /bin/sh  47 seconds ago  Exited (0) 5 seconds ago          practical_liskov


[root@RedHat ~]# podman ps -a
CONTAINER ID  IMAGE   COMMAND  CREATED  STATUS  PORTS   NAMES
复制代码

 

复制代码
//当root和jerry都创建容器名为web 此时两个容器是非会冲突呢?
[root@RedHat ~]# podman run -it --rm --name web busybox
/ # ls
bin   dev   etc   home  proc  root  run   sys   tmp   usr   var

[root@RedHat ~]# podman ps
CONTAINER ID  IMAGE                             COMMAND  CREATED         STATUS             PORTS   NAMES
fc0b452940fd  docker.io/library/busybox:latest  sh       16 seconds ago  Up 15 seconds ago          web

[jerry@RedHat ~]$ podman run -it --rm --name web busybox
/ # ls
bin   dev   etc   home  proc  root  run   sys   tmp   usr   var

[jerry@RedHat ~]$ podman ps
CONTAINER ID  IMAGE                             COMMAND  CREATED         STATUS             PORTS   NAMES
5294a0e55a83  docker.io/library/busybox:latest  sh       20 seconds ago  Up 19 seconds ago          web

//如此可见,不同用户创建的容器是互相隔离的,并不会相互影响
复制代码

 

复制代码
//如果你想用普通用户创建容器并且映射容器80到本机80端口的话
[jerry@RedHat ~]$ podman run -it --rm --name web1 -p 80:80 busybox
Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied

//很显然失败了,但是你可以吧端口数字调成大于等于1024,例如
[jerry@RedHat ~]$ podman run -it --rm --name web1 -p 2000:80 busybox
/ # ls
bin   dev   etc   home  proc  root  run   sys   tmp   usr   var

[jerry@RedHat ~]$ podman ps
CONTAINER ID  IMAGE                             COMMAND  CREATED        STATUS            PORTS                 NAMES
f529b49fb389  docker.io/library/busybox:latest  sh       7 seconds ago  Up 6 seconds ago  0.0.0.0:2000->80/tcp  web1
复制代码

 

cgroup V2支持

cgroup V2 Linux内核功能允许用户限制无根容器可以使用的资源量。如果使用cgroup V2启用了运行Podman的Linux发行
版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,您可能必须切换到备用0CI运行时
crun。
也可以使用以下– runtime选项在命令行中打开对cgroup V2的替代OCI运行时支持:

podman -- runtime C run
//我们使用yum安装crun
[root@RedHat ~]# yum -y install crun

 

cgroup V2 Linux内核功能允许用户限制无根容器可以使用的资源量。如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,您可能必须切换到备用OCI运行时crun

用于通过在系统级或在任一改变用于在containers.conf文件“默认OCI运行时”的值的所有命令用户级别runtime = "runc"runtime = "crun"

 

复制代码
//取消注释并且修改
[root@RedHat containers]# vim /usr/share/containers/containers.conf 

 runtime = "crun"

[root@RedHat containers]# podman run -it --rm --name web1 busybox

[root@RedHat ~]# podman inspect web1|grep crun
        "OCIRuntime": "crun",
            "crun",
复制代码

 

 

使用普通用户创建容器会发现容器内容器外UID不一致

复制代码
[jerry@RedHat ~]$ mkdir 123
[jerry@RedHat ~]$ podman run -it --rm -v /home/jerry/123:/data busybox /bin/sh
/ # cd data/
/data # touch abc
/data # ls -l
total 0
-rw-r--r--    1 root     root             0 Mar 10 22:17 abc

/data # exit
[jerry@RedHat ~]$ cd 123/
[jerry@RedHat 123]$ ll
总用量 0
-rw-r--r--. 1 jerry jerry 0 3月  11 06:17 abc
[jerry@RedHat 123]$
复制代码

为了使UID保持一致,可以使用–userns=keep-id命令

[jerry@RedHat 123]$ podman run -it --rm --userns=keep-id -v /home/jerry/123/:/data busybox 
~ $ cd data/
/data $ ls -l
total 0
-rw-r--r--    1 jerry    jerry            0 Mar 10 22:17 abc
/data $

 转自:https://www.cnblogs.com/lichouluoyu/p/14513622.html