在无根环境中的基本设置和使用podman
在无根环境中的基本设置和使用podman
在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置
基本设置
cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroupV2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroupV2,必须切换到备用OCI运行时crun。
[root@podman ~]# dnf -y install crun
[root@podman ~]# vim /usr/share/containers/containers.conf
runtime = "crun"
#runtime = "runc"
[root@podman ~]# podman run -d --name web -p 80:80 httpd
c48dcbebb75f949b2ffd964a2e51b0dc178e7c908b3a9db45ead68866a25dd9c
[root@podman ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c48dcbebb75f docker.io/library/httpd:latest httpd-foreground 5 seconds ago Up 6 seconds ago 0.0.0.0:80->80/tcp web
#查询容器的运行规则
[root@podman ~]# podman inspect web | grep crun
"OCIRuntime": "crun",
安装slirp4netns和fuse-overlayfs
在普通用户环境中使用Podman时,建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6。现在新版本默认就是了。
[root@podman ~]# dnf -y install slirp4netns
[root@podman ~]# dnf -y install fuse-overlayfs
[root@podman ~]# vim /etc/containers/storage.conf
mount_program = "/usr/bin/fuse-overlayfs" #搜索fuse,取消这行注释
[root@podman ~]# which fuse-overlayfs
/usr/bin/fuse-overlayfs
/etc/subuid和/etc/subgid配置
Podman要求运行它的用户在/ etc / subuid和/ etc / subgid文件中列出一系列UID,shadow-utils或newuid包提供这些文件
[root@podman ~]# dnf -y install shadow-utils
可以在/etc/subuid和/etc/subgid查看,每个用户的值必须唯一且没有任何重叠。
[root@podman ~]# useradd dada
[root@podman ~]# cat /etc/subuid
dada:100000:65536
[root@podman ~]# cat /etc/subgid
dada:100000:65536
#启动非特权ping
[root@podman ~]# vim /etc/sysctl.conf
net.ipv4.ping_group_range=0 200000 #添加此行,大于100000这个就表示tom可以操作podman
这个文件的格式是 USERNAME:UID:RANGE中/etc/passwd或输出中列出的用户名getpwent。
- 为用户分配的初始 UID。
- 为用户分配的 UID 范围的大小。
该usermod程序可用于为用户分配 UID 和 GID,而不是直接更新文件。
[root@podman ~]# useradd xiaoxiao
[root@podman ~]# cat /etc/subuid /etc/subgid
dada:100000:65536
xiaoxiao:165536:65536
dada:100000:65536
xiaoxiao:165536:65536
[root@podman ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 xiaoxiao
[root@podman ~]# cat /etc/subuid /etc/subgid
dada:100000:65536
xiaoxiao:165536:65536
dada:100000:65536
xiaoxiao:165536:65536
[root@podman ~]# usermod --del-subuids 165536-231072 --del-subgids 165536-231072 xiaoxiao
[root@podman ~]# cat /etc/subuid /etc/subgid
dada:100000:65536
dada:100000:65536
[root@podman ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 xiaoxiao
[root@podman ~]# cat /etc/subuid /etc/subgid
dada:100000:65536
xiaoxiao:200000:1001
dada:100000:65536
xiaoxiao:200000:1001
用户配置文件
三个主要的配置文件是container.conf、storage.conf和registries.conf。用户可以根据需要修改这些文件。
container.conf(容器配置文件)
// 用户配置文件
[root@localhost ~]# cat /usr/share/containers/containers.conf
[root@localhost ~]# cat /etc/containers/containers.conf
[root@localhost ~]# cat ~/.config/containers/containers.conf //优先级最高
如果它们以该顺序存在。每个文件都可以覆盖特定字段的前一个文件。
storage.conf(存储配文件)
1./etc/containers/storage.conf
2.$HOME/.config/containers/storage.conf
在普通用户中/etc/containers/storage.conf的一些字段将被忽略
[root@podman ~]# vim /etc/containers/storage.conf
driver = "overlay" #此处改为overlay
......
mount_program = "/usr/bin/fuse-overlayfs" #取消注释
[root@podman ~]# vim /etc/sysctl.conf#如果版本为8以下,则需要做,设置无根用户数量
user.max_user_namespaces=15000 #添加此行
在普通用户中这些字段默认
[root@podman ~]# vim /etc/containers/storage.conf
graphroot="$HOME/.local/share/containers/storage"
runroot="$XDG_RUNTIME_DIR/containers"
registries.conf(仓库配置文件)
配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改。
1./etc/containers/registries.conf
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf
授权文件
此文件里面写了docker账号的密码,以加密方式显示
root用户和普通用户的docker账号和密码授权是相同的
[root@podman ~]# podman login
Username: a3171344634
Password:
Login Succeeded!
[root@podman ~]# find / -name auth.json
/run/user/0/containers/auth.json
[root@podman ~]# cat /run/user/0/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "YTMxNzEzNDQ2MzQ6ZGFkYXhpYW8u"
}
}
}
[root@podman ~]# su - dada
[dada@podman ~]$ podman login
Username: a3171344634
Password:
Login Succeeded!
[dada@podman ~]$ find / -name auth.json #查询授权文件在哪
......
/tmp/podman-run-1000/containers/auth.json
[dada@podman ~]$ cat /tmp/podman-run-1000/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "YTMxNzEzNDQ2MzQ6ZGFkYXhpYW8u"
}
}
}
[dada@podman ~]$ exit
logout
普通用户是无法看见root用户的镜像和容器
//root用户
[root@podman ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
registry.fedoraproject.org/f29/httpd latest 25c76f9dcdb5 3 years ago 482 MB
[root@podman ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c48dcbebb75f docker.io/library/httpd:latest httpd-foreground 2 hours ago Exited (0) About an hour ago 0.0.0.0:80->80/tcp web
//普通用户
[root@podman ~]# su - dada
[dada@podman ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[dada@podman ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
root用户也是无法看见普通用户的镜像和容器的
#在普通用户上拉取镜像并创建容器
[dada@podman ~]$ podman run -dit --name b1 -p 8080:80 httpd
Resolving "httpd" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob 4340e7be3d7f done
Copying blob aed046121ed8 done
Copying blob 80cb79a80bbe done
Copying blob 80e368ef21fc done
Copying blob 1efc276f4ff9 done
Copying config f2a976f932 done
Writing manifest to image destination
Storing signatures
b3f71ad2597359b05ee8343a7e6174368870fbb2a0da9c5e6b356dea5dfedac2
[dada@podman ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b3f71ad25973 docker.io/library/httpd:latest httpd-foreground About a minute ago Up About a minute ago 0.0.0.0:8080->80/tcp b1
[dada@podman ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest f2a976f932ec 2 weeks ago 149 MB
#root用户
[root@podman ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c48dcbebb75f docker.io/library/httpd:latest httpd-foreground 2 hours ago Exited (0) About an hour ago 0.0.0.0:80->80/tcp web
[root@podman ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
registry.fedoraproject.org/f29/httpd latest 25c76f9dcdb5 3 years ago 482 MB
卷
- 容器与root用户一起运行,则root容器中的用户实际上就是主机上的用户。
[dada@podman ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b3f71ad25973 docker.io/library/httpd:latest httpd-foreground 8 minutes ago Up 8 minutes ago 0.0.0.0:8080->80/tcp b1
[dada@podman ~]$ podman exec -it b1 /bin/bash
root@b3f71ad25973:/usr/local/apache2# id
uid=0(root) gid=0(root) groups=0(root)
-
UID GID是在/etc/subuid和/etc/subgid等中用户映射中指定的第一个UID GID。
-
如果普通用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则会看到它实际上是你的用户在主机上拥有的。
使用卷
[root@podman ~]# su - dada
[dada@podman ~]$ pwd
/home/dada
[dada@podman ~]$ mkdir /home/dada/abc
#‘/abc:Z’默认是z指示绑定安装内容在多个容器直接共享,Z选项指示绑定安装内容是使用的且未共享
[dada@podman ~]$ podman run -dit --name web1 -v /home/dada/abc/:/abc:Z -p 8080:80 httpd
642ed75e031ad932b7d141b541280b61a2aba34927762edb4215c55e4e58011a
[dada@podman ~]$ podman exec -it web1 /bin/bash
root@642ed75e031a:/usr/local/apache2# cd /abc/
root@642ed75e031a:/abc# touch 321
root@642ed75e031a:/abc# ls -l
total 0
-rw-r--r--. 1 root root 0 Aug 16 13:12 321
在普通用户主机上查看
[dada@podman ~]$ ll abc/
total 0
-rw-r--r--. 1 dada dada 0 Aug 16 21:12 321
//在普通用户主机上写入文件
[dada@podman ~]$ echo "helo world" >> abc/123
[dada@podman ~]$ cat abc/123
helo world
容器里查看
root@642ed75e031a:/abc# cat 123
helo world
root@642ed75e031a:/abc# ls -l
total 4
-rw-rw-r--. 1 root root 11 Aug 16 13:17 123
-rw-r--r--. 1 root root 0 Aug 16 13:12 321
我们可以发现在容器里面的目录和文件的属主和属组都属于root,那么如何才能让其属于dada用户呢?下面告诉你答案
//只要在运行容器的时候加上一个--userns=keep-id即可。保持一直id
[dada@podman ~]$ podman rm -f -l
642ed75e031ad932b7d141b541280b61a2aba34927762edb4215c55e4e58011a
[dada@podman ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[dada@podman ~]$ podman run -dit --name web1 --userns=keep-id -v $(pwd)/abc:/abc:Z busybox
e3367db508a1b65458201a481103b9ca13366f1666dc3cc8480b836c79e5b0a0
[dada@podman ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e3367db508a1 docker.io/library/busybox:latest sh 6 seconds ago Up 7 seconds ago web1
[dada@podman ~]$ podman exec -it web1 /bin/sh
~ $ cd abc/
/abc $ ls -l
total 4
-rw-rw-r-- 1 dada dada 11 Aug 16 13:17 123
-rw-r--r-- 1 dada dada 0 Aug 16 13:12 321
使用普通用户映射容器端口时会报“ permission denied”的错误
[dada@podman ~]$ podman run -dit --name no1 -p 80:80 httpd
Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied
普通用户可以映射>= 1024的端口
#删除之前报错的容器后再创建
[dada@podman ~]$ podman rm -f no1
34abdd070f78533434974a806691c47486805c2a024857d6a94d244e700f3b4d
[dada@podman ~]$ podman run -dit --name no1 -p 1024:80 httpd
344d776c97772518b4d97969b53df91271ce9309fc0dfd38cf27778c2812a7ed
[dada@podman ~]$ ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 25 0.0.0.0:514 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:1024 *:*
LISTEN 0 25 [::]:514 [::]:*
配置echo ‘net.ipv4.ip_unprivileged_port_start=80’ >> /etc/sysctl.conf后可以映射大于等于80的端口
[dada@podman ~]$ exit
logout
[root@podman ~]# vim /etc/sysctl.conf
net.ipv4.ip_unprivileged_port_start=80 #添加此行
[root@podman ~]# sysctl -p #立即生效
net.ipv4.ping_group_range = 0 200000
user.max_user_namespaces = 15000
net.ipv4.ip_unprivileged_port_start = 80
#为了演示效果把root用户下的80端口的容器删除
[root@podman ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c48dcbebb75f docker.io/library/httpd:latest httpd-foreground 3 hours ago Exited (0) 2 hours ago 0.0.0.0:80->80/tcp web
[root@podman ~]# podman rm -f web
c48dcbebb75f949b2ffd964a2e51b0dc178e7c908b3a9db45ead68866a25dd9c
#再次创建
[dada@podman ~]$ podman run -dit --name no2 -p 80:80 httpd
5647f05bc604e1c917cd8df40204e967dc0198064b4f652fac65587994657d37
