podman的基本设置和使用
podman的基本设置和使用
运行一个示例容器
[root@localhost ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
>  -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
>  -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
>  registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob aaf5ad2e1aa3 done  
Copying blob 7692efc5f81c done  
Copying blob d77ff9f653ce done  
Copying config 25c76f9dcd done  
Writing manifest to image destination
Storing signatures
32927806ea54e854e487362d39d738666ea7006767141a8a4f7af4ad9eb315d3
[root@localhost ~]# 
列出正在运行的容器
[root@localhost ~]# podman ps
CONTAINER ID  IMAGE                                        COMMAND               CREATED        STATUS            PORTS                   NAMES
32927806ea54  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  3 minutes ago  Up 3 minutes ago  0.0.0.0:8080->8080/tcp  hungry_visvesvaraya
[root@localhost ~]# 
检查正在运行的容器
[root@localhost ~]# podman inspect -l |grep -i ipaddres
            "IPAddress": "10.88.0.2",
                    "IPAddress": "10.88.0.2",
[root@localhost ~]# 
测试httpd服务器
[root@localhost ~]# curl 10.88.0.2:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
        <head>
                <title>Test Page for the Apache HTTP Server on Fedora</title>
                <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
                <style type="text/css">
                        /*<
查看容器日志
[root@localhost ~]# podman logs -l
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.2. Set the 'ServerName' directive globally to suppress this message
查看容器的进程
可以使用top观察容器中的httpd pid
[root@localhost ~]# podman top -l
USER        PID         PPID        %CPU        ELAPSED           TTY         TIME        COMMAND
default     1           0           0.000       15m15.790891247s  pts/0       0s          httpd -D FOREGROUND 
default     23          1           0.000       15m15.791014584s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     24          1           0.000       15m15.791051976s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     25          1           0.000       15m15.791083142s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     26          1           0.000       15m15.79111865s   pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     27          1           0.000       15m15.791148096s  pts/0       0s          httpd -D FOREGROUND 
default     28          1           0.000       15m15.791178705s  pts/0       0s          httpd -D FOREGROUND 
default     30          1           0.000       15m15.791209738s  pts/0       0s          httpd -D FOREGROUND 
default     33          1           0.000       15m15.791243228s  pts/0       0s          httpd -D FOREGROUND 
[root@localhost ~]# 
检查点容器
检查点容器会停止容器,同时将容器中所有进程的状态写入磁盘。有了这个,容器可以稍后恢复并在与检查点完全相同的时间点继续运行。此功能需要在系统上安装 CRIU 3.11 或更高版本。此功能不支持为无根;因此,如果您想尝试它,您需要以 root 身份重新创建您的容器,使用相同的命令但使用 sudo。
[root@localhost ~]# podman container checkpoint  hungry_visvesvaraya
32927806ea54e854e487362d39d738666ea7006767141a8a4f7af4ad9eb315d3
[root@localhost ~]# 
[root@localhost ~]# podman ps -a
CONTAINER ID  IMAGE                                        COMMAND               CREATED         STATUS                     PORTS                   NAMES
0850f917a648  docker.io/library/busybox:latest             sh                    25 hours ago    Exited (0) 25 hours ago                            priceless_hermann
52def17049b0  docker.io/library/busybox:latest             sh                    25 hours ago    Exited (0) 25 hours ago                            trusting_wright
2968cb1c8253  docker.io/library/busybox:latest             sh                    25 hours ago    Exited (127) 25 hours ago                          hardcore_payne
120fd003c071  docker.io/library/busybox:latest             sh                    25
恢复容器
[root@localhost ~]# podman container restore hungry_visvesvaraya
32927806ea54e854e487362d39d738666ea7006767141a8a4f7af4ad9eb315d3
[root@localhost ~]# 
[root@localhost ~]# podman ps
CONTAINER ID  IMAGE                                        COMMAND               CREATED         STATUS             PORTS                   NAMES
32927806ea54  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  20 minutes ago  Up 20 minutes ago  0.0.0.0:8080->8080/tcp  hungry_visvesvaraya
[root@localhost ~]# 
[root@localhost ~]# curl 10.88.0.2:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
        <head>
                <title>Test Page for the Apache HTTP Server on Fedora</title>
                <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
                <style type="text/css">
                        /*<![CDATA[*/
迁移容器
要将容器从一台主机实时迁移到另一台主机,容器会在迁移的源系统上设置检查点,转移到目标系统,然后在目标系统上恢复。传输检查点时,可以指定输出文件。
在源系统上:
[root@localhost ~]# podman container checkpoint hungry_visvesvaraya -e /tmp/algg.tar.gz
32927806ea54e854e487362d39d738666ea7006767141a8a4f7af4ad9eb315d3
[root@localhost ~]# 
[root@localhost ~]# scp /tmp/algg.tar.gz 192.168.10.150:/tmp
The authenticity of host '192.168.10.150 (192.168.10.150)' can't be established. //客户机的ip地址
ECDSA key fingerprint is SHA256:n0Dkwe1M34tJ4a5o5+F7/QfqfwCkHlPmjNl+BKqWjgY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.10.150' (ECDSA) to the list of known hosts.
root@192.168.10.150's password:  //客户机的密码
algg.tar.gz                                      100% 6703KB 162.4MB/s   00:00    
[root@localhost ~]# 
在目标系统上
[root@localhost ~]# podman container restore -i /tmp/algg.tar.gz
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob d77ff9f653ce done  
Copying blob aaf5ad2e1aa3 done  
Copying blob 7692efc5f81c done  
Copying config 25c76f9dcd done  
Writing manifest to image destination
Storing signatures
Error: failed to mount shm tmpfs "/var/lib/containers/storage/overlay-containers/32927806ea54e854e487362d39d738666ea7006767141a8a4f7af4ad9eb315d3/userdata/shm": invalid argument
[root@localhost ~]# 

停止容器
[root@localhost ~]# podman stop -l
32927806ea54e854e487362d39d738666ea7006767141a8a4f7af4ad9eb315d3
[root@localhost ~]# 
[root@localhost ~]# podman ps -a
32927806ea54  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  39 minutes ago  Exited (0) 12 minutes ago  0.0.0.0:8080->8080/tcp  hungry_visvesvaraya
如何使用podman签署和分发容器镜像
[root@localhost ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: daojiang
Email address: 123@4.com
Comment: alg
You selected this USER-ID:
    "daojiang (alg) <123@4.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
         ┌─┐
             │ Please enter the passphrase to                       │
             │ protect your new key                                 │
             │                                                      │
             │ Passphrase: ******
             │                                                      │
             │       <OK>                              <Cancel>     │
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 3503977B1F4F8C4F marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/535227B0CA69106F3E93A5A23503977B1F4F8C4F.rev'
public and secret key created and signed.
pub   rsa2048 2022-08-15 [SC]
      535227B0CA69106F3E93A5A23503977B1F4F8C4F
uid                      daojiang (alg) <123@4.com>
sub   rsa2048 2022-08-15 [E]
查看生成的密钥
[root@localhost ~]# gpg --list-keys 123@4.com
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   rsa2048 2022-08-15 [SC]
      535227B0CA69106F3E93A5A23503977B1F4F8C4F
uid           [ultimate] daojiang (alg) <123@4.com>
sub   rsa2048 2022-08-15 [E]
[root@localhost ~]# 
alpine为签名实验选择一个标准镜像
[root@localhost ~]# podman pull docker://docker.io/alpine:latest
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 59bf1c3509f3 done  
Copying config c059bfaa84 done  
Writing manifest to image destination
Storing signatures
c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
[root@localhost ~]# 
[root@localhost ~]# podman images
REPOSITORY                            TAG         IMAGE ID      CREATED       SIZE
docker.io/library/alpine              latest      c059bfaa849c  8 months ago  5.87 MB
部署harbor
[root@harbor ~]# wget https://github.com/goharbor/harbor/releases/download/v2.5.3/harbor-offline-installer-v2.5.3.tgz
将下载好的文件上传至root下
[root@harbor ~]# ls
anaconda-ks.cfg  harbor-offline-installer-v2.5.3.tgz
[root@harbor local]# cd harbor/
[root@harbor harbor]# ls
LICENSE  common.sh  harbor.v2.5.3.tar.gz  harbor.yml.tmpl  install.sh  prepare
[root@harbor harbor]# cp harbor.yml.tmpl harbor.yml
[root@harbor harbor]# vi harbor.yml
hostname: harbor.example.com
# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80
# https related config
#https:
  # https port for harbor, default is 443
  #port: 443
  # The path of cert and key files for nginx
 #certificate: /your/certificate/path
 #private_key: /your/private/key/path
[root@harbor harbor]# ./install.sh
[+] Running 10/10
 ⠿ Network harbor_harbor        Created                                       0.2s
 ⠿ Container harbor-log         Started                                       0.6s
 ⠿ Container harbor-portal      Started                                       2.2s
 ⠿ Container registryctl        Started                                       2.2s
 ⠿ Container redis              Started                                       2.4s
 ⠿ Container registry           Started                                       2.2s
 ⠿ Container harbor-db          Started                                       2.4s
 ⠿ Container harbor-core        Started                                       2.8s
 ⠿ Container nginx              Started                                       3.6s
 ⠿ Container harbor-jobservice  Started                                       3.3s
✔ ----Harbor has been installed and started successfully.----
[root@harbor harbor]# 
[root@harbor harbor]# 
[root@harbor harbor]# ss -anlt
State    Recv-Q   Send-Q     Local Address:Port      Peer Address:Port   Process   
LISTEN   0        128              0.0.0.0:80             0.0.0.0:*                
LISTEN   0        128              0.0.0.0:22             0.0.0.0:*                
LISTEN   0        128            127.0.0.1:1514           0.0.0.0:*                
LISTEN   0        128                 [::]:80                [::]:*                
LISTEN   0        128                 [::]:22                [::]:*                
[root@harbor harbor]# 
重新标记镜像
[root@localhost ~]# podman tag alpine 192.168.10.145/alpine:v0.1
[root@localhost ~]# podman images 
REPOSITORY                TAG         IMAGE ID      CREATED       SIZE
docker.io/library/alpine  latest      c059bfaa849c  8 months ago  5.87 MB
192.168.10.145/alpine    v0.1        c059bfaa849c  8 months ago  5.87 MB
[root@localhost ~]#
修改系统范围的注册表配置 /etc/containers/registries.d/default.yaml:
sigstore: 引用 Web 服务器进行签名读取
sigstore-staging: 引用文件路径进行签名写入
[root@localhost ~]# vim /etc/containers/registries.d/default.yaml 
default-docker:
  sigstore: http://192.168.10.145
  sigstore-staging: file:///var/lib/containers/sigstore
 
                     
                    
                 
                    
                 
                
            
         
         浙公网安备 33010602011771号
浙公网安备 33010602011771号