无根用户管理podman的使用

目录

• 在无根环境中的基本设置使用podman

---

在无根环境中的基本设置使用podman

使用cgroupV2启用了运行Podman的Linux发行版，则可能需要更改默认的OCI运行时某些较旧的版本runc不适用于cgroupV2，必须切换到备用OCI运行时crun。

[root@node1 ~]# vim /usr/share/containers/containers.conf 
runtime = "crun"

安装crun

[root@node1 ~]# dnf -y install crun
Last metadata expiration check: 0:52:51 ago on Tue 16 Aug 2022 05:51:51 PM CST.
Dependencies resolved.
====================================================================================
 Package   Arch        Version                                 Repository      Size
====================================================================================
Installing:
 crun      x86_64      1.0-1.module_el8.5.0+911+f19012f9       AppStream      193 k
Installing dependencies:
 yajl      x86_64      2.1.0-10.el8                            AppStream       41 k

Transaction Summary
====================================================================================
Install  2 Packages
[root@YL ~]# podman  run -d --name web -p 8080:8080 docker.io/library/busybox
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 50783e0dfb64 done  
Copying config 7a80323521 done  
Writing manifest to image destination
Storing signatures
4692b199d3ac4e43b0ff3088835fee21a8a4dac319a8416129715af14b162f54
[root@YL ~]# podman  inspect  web | grep crun
        "OCIRuntime": "crun",
            "crun",

配置/etc/subuid和/etc/subgid

[root@node1 ~]# dnf -y install shadow-utils-2:4.6-14.el8.x86_64 
Last metadata expiration check: 5:18:55 ago on Tue 16 Aug 2022 12:27:43 PM CST.
Dependencies resolved.
====================================================================================
 Package               Architecture    Version                  Repository     Size
====================================================================================
Upgrading:
 shadow-utils          x86_64          2:4.6-14.el8             base          1.2 M
[root@node1 ~]# useradd liu
[root@node1 ~]# usermod --add-subuid 200000-201000 --add-subgid 200000-201000 liu
[root@node1 ~]# cat /etc/subuid && cat /etc/subgid
liu:200000:1001
liu:200000:1001

[root@localhost ~]#  vi /etc/containers/storage.conf
[storage]
# Default Storage Driver, Must be set for proper operation.
driver = "overlay"    #此处改为overlay
.......
mount_program = "/usr/bin/fuse-overlayfs"    #取消注释
[root@YL ~]# sysctl user.max_user_namespaces=15000
user.max_user_namespaces = 15000

此文件写入了docker账号密码，以加密显示

[root@node1 ~]# podman  login 
Username: admin
Password: 
Login Succeeded!
[root@node1 ~]# cat /run/user/0/containers/auth.json 
{
	"auths": {
		"registry.fedoraproject.org": {
			"auth": "YWRtaW46SGFyYm9yMTIzNDU="
		}
	}

普通用户是无法看见root用户的镜像的

[root@node1 ~]# podman  images
REPOSITORY                  TAG         IMAGE ID      CREATED      SIZE
docker.io/library/registry  latest      3a0f7b0a13ef  6 days ago   24.7 MB
docker.io/library/nginx     latest      b692a91e4e15  2 weeks ago  146 MB
[root@node1 ~]# su - liu
[liu@node1 ~]$ 
[liu@node1 ~]$ podman images
REPOSITORY  TAG         IMAGE ID    CREATED     SIZE

无根用户挂载

[root@YL ~]# su - ly
[ly@YL ~]$ podman images
REPOSITORY  TAG         IMAGE ID    CREATED     SIZE
[ly@YL ~]$ mkdir /home/ly/ly
[ly@YL ~]$ podman  run -it -v "$(pwd)"/ly:/ly docker.io/library/busybox /bin/sh
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 50783e0dfb64 done  
Copying config 7a80323521 done  
Writing manifest to image destination
Storing signatures
/ # ls
bin   dev   etc   home  ly    proc  root  run   sys   tmp   usr   var
/ # cd ly
/ly # touch 123
/ly # ls -l
total 0
-rw-r--r--    1 root     root             0 Aug 16 14:07 123
/ly # exit
[ly@YL ~]$ 
主机查看
[ly@YL ~]$ ll ly/
total 0
-rw-r--r-- 1 ly ly 0 Aug 16 22:07 123
再次写入容器中
[ly@YL ~]$ echo "222" > ly/123
[ly@YL ~]$ cat ly/123
222
此时容器中的文件属组和属主都是root
/ # ls -l ly/
total 4
-rw-r--r--    1 root     root             4 Aug 16 14:09 123
-rw-r--r--    1 root     root             0 Aug 16 14:16 a
想让其属于ly用户只需要在运行容器时添加--userns=keep-id就可以了    意思时运行容器时id保持一致而不是用映射的虚拟id
[ly@YL ~]$ podman  rm -f -l
1cae9d5381f1d0b78c4814e90641f7eeb60bdb703ad689a3407c218875623988
[ly@YL ~]$ podman  run -it -v `pwd`/ly:/ly --userns=keep-id docker.io/library/busybox /bin/sh
~ $ ls -l ly/
total 4
-rw-r--r--    1 ly       ly               4 Aug 16 14:09 123
-rw-r--r--    1 ly       ly               0 Aug 16 14:16 a

使用普通用户映射容器端口

[ly@YL ~]$ podman  run -d -p 88:80 httpd
Resolving "httpd" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob 4340e7be3d7f done  
Copying blob 1efc276f4ff9 done  
Copying blob 80cb79a80bbe done  
Copying blob 80e368ef21fc done  
Copying blob aed046121ed8 done  
Copying config f2a976f932 done  
Writing manifest to image destination
Storing signatures
//使用普通用户映射容器端口时会报“ permission denied”的错误
Error: rootlessport cannot expose privileged port 88, you can add 'net.ipv4.ip_unprivileged_port_start=88' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:88: bind: permission denied

普通用户可以映射>= 1024的端口

[ly@YL ~]$ podman  run -d -p 1024:80 httpd
630ade986ece92587586114ba8228ae620a716582f6c089bdcba1b808ce91a85

配置echo ‘net.ipv4.ip_unprivileged_port_start=20’ >> /etc/sysctl.conf后可以映射大于等于20的端口

[root@YL ~]# cat /etc/sysctl.conf | tail -2
net.ipv4.ip_unprivileged_port_start=20
[root@YL ~]# vim /etc/sysctl.conf 
[root@YL ~]# sysctl  -p
net.ipv4.ping_group_range = 0 300000
user.max_user_namespaces = 15000
net.ipv4.ip_unprivileged_port_start = 20
[root@YL ~]# su - ly
Last login: Tue Aug 16 22:34:44 CST 2022 on pts/0

[ly@YL ~]$ podman run -d -p 30:80 httpd
1c37b0c48560b17463d6a476abd14aecd9cd71c05038c22b699e91668793741f