无根环境中的基本设置和使用podman
[root@localhost ~]# dnf -y install crun //centos8自带,可以直接进行安装
Last metadata expiration check: 12:43:04 ago on Tue 16 Aug 2022 11:01:38 PM CST.
Dependencies resolved.
==========================================================
Package
Arch Version Repo Size
==========================================================
Installing:
crun x86_64 1.4.3-1.module_el8.7.0+1106+45480ee0
appstream 209 k
Installing dependencies:
yajl x86_64 2.1.0-11.el8 appstream 41 k
Transaction Summary
==========================================================
Install 2 Packages
Total download size: 250 k
Installed size: 602 k
Downloading Packages:
(1/2): yajl-2.1.0-11.el8. 155 kB/s | 41 kB 00:00
(2/2): crun-1.4.3-1.modul 458 kB/s | 209 kB 00:00
----------------------------------------------------------
Total 237 kB/s | 250 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : yajl-2.1.0-11.el8.x86_64 1/2
Installing : crun-1.4.3-1.module_el8.7.0+11 2/2
Running scriptlet: crun-1.4.3-1.module_el8.7.0+11 2/2
Verifying : crun-1.4.3-1.module_el8.7.0+11 1/2
Verifying : yajl-2.1.0-11.el8.x86_64 2/2
Installed:
crun-1.4.3-1.module_el8.7.0+1106+45480ee0.x86_64
yajl-2.1.0-11.el8.x86_64
Complete!
[root@localhost ~]# vim /usr/share/containers/containers.conf runtime = "crun"
#runtime = "runc"
[root@localhost ~]# podman run -d --name web nginx
Resolving "nginx" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob a2abf6c4d29d skipped: already exists
Copying blob 186b1aaa4aa6 done
Copying blob 589b7251471a done
Copying blob a0bcbecc962e done
Copying blob b4df32aa5a72 done
Copying blob a9edb18cadd1 done
Copying config 605c77e624 done
Writing manifest to image destination
Storing signatures
c41be3a5f77552ef53e4b5e528d8f121763c308536e735c32f6763c405d4014c
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c41be3a5f775 docker.io/library/nginx:latest nginx -g daemon o... 18 seconds ago Up 17 seconds ago web
[root@localhost ~]# podman inspect web | grep -i ociruntime
"OCIRuntime": "crun",
安装slirp4netns和fuse-overlayfs
在普通用户环境中使用Podman时,建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6。现在新版本默认就是了
[root@localhost ~]# dnf -y install slirp4netns fuse-overlayfs
Last metadata expiration check: 12:51:56 ago on Tue 16 Aug 2022 11:01:38 PM CST.
Package slirp4netns-1.1.8-2.module_el8.7.0+1106+45480ee0.x86_64 is already installed.
Package fuse-overlayfs-1.8.2-1.module_el8.7.0+1106+45480ee0.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@localhost ~]# vim /etc/containers/storage.conf
mount_program = "/usr/bin/fuse-overlayfs" //取消注释
subuid和 subgid配置
Podman要求运行它的用户在/ etc / subuid和/ etc / subgid文件中列出一系列UID,shadow-utils或newuid包提供这些文件
[root@localhost ~]# yum -y install shadow-utils //可以在/etc/ subuid和/etc/ subgid查看,每个用户的值必须唯一且没有任何重叠。
Last metadata expiration check: 12:54:04 ago on Tue 16 Aug 2022 11:01:38 PM CST.
Package shadow-utils-2:4.6-16.el8.x86_64 is already installed.
Dependencies resolved.
==========================================================
Package Arch Version Repo Size
==========================================================
Upgrading:
shadow-utils x86_64 2:4.6-17.el8 baseos 1.2 M
Transaction Summary
==========================================================
Upgrade 1 Package
Total download size: 1.2 M
Downloading Packages:
shadow-utils-4.6-17.el8.x 1.2 MB/s | 1.2 MB 00:01
----------------------------------------------------------
Total 455 kB/s | 1.2 MB 00:02
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : shadow-utils-2:4.6-17.el8.x86_ 1/2
Cleanup : shadow-utils-2:4.6-16.el8.x86_ 2/2
Running scriptlet: shadow-utils-2:4.6-16.el8.x86_ 2/2
Verifying : shadow-utils-2:4.6-17.el8.x86_ 1/2
Verifying : shadow-utils-2:4.6-16.el8.x86_ 2/2
Upgraded:
shadow-utils-2:4.6-17.el8.x86_64
Complete!
[root@localhost ~]# useradd abc
[root@localhost ~]# cat /etc/subuid
abc:100000:65536
//可以在/etc/subuid和/etc/subgid查看,每个用户的值必须唯一且没有任何重叠。
[root@localhost ~]# vim /etc/sysctl.conf
net.ipve4.ping_group_range=0 200000 //添加此行,大于100000这个就表示tom可以操作podman
这个文件的格式是 USERNAME:UID:RANGE中/etc/passwd或输出中列出的用户名getpwent。
**为用户分配的初始 UID。
为用户分配的 UID 范围的大小。
该usermod程序可用于为用户分配 UID 和 GID,而不是直接更新文件。
[root@localhost ~]# useradd zxc
[root@localhost ~]# cat /etc/subuid /etc/subgid
abc:100000:65536
zxc:165536:65536
abc:100000:65536
zxc:165536:65536
[root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 zxc
[root@localhost ~]# cat /etc/subuid /etc/subgid
abc:100000:65536
zxc:165536:65536
abc:100000:65536
zxc:165536:65536
[root@localhost ~]# usermod --del-subuids 165536-231072 --del-subgids 165536-231072 zxc //--del 删除
[root@localhost ~]# cat /etc/subuid /etc/subgid
abc:100000:65536
abc:100000:65536
[root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 zxc //--add 添加
[root@localhost ~]# cat /etc/subuid /etc/subgid
abc:100000:65536
zxc:200000:1001
abc:100000:65536
zxc:200000:1001
用户配置文件
三个主要的配置文件是container.conf、storage.conf和registries.conf。用户可以根据需要修改这些文件。
container.conf(容器配置文件)
//查看用户配置文件方法
[root@localhost ~]# cat /usr/share/containers/containers.conf //常用
//方法
[root@localhost ~]# cat /etc/containers/containers.conf
[root@localhost ~]# cat ~/.config/containers/containers.conf //优先级最高
如果它们以该顺序存在。每个文件都可以覆盖特定字段的前一个文件。
storage.conf(存储配文件)
1./etc/containers/storage.conf
2.$HOME/.config/containers/storage.conf
在普通用户中/etc/containers/storage.conf的一些字段将被忽略
[root@localhost ~]# vim /etc/containers/storage.conf
//查找driver
driver = "overlay" //此处为overlay
//查找mount_program
mount_program = "/usr/bin/fuse-overlayfs" //取消注释
[root@localhost ~]# vim /etc/sysctl.conf
user.max_user_namepaces=15000 //添加
在普通用户中这袭人默认字段
[root@localhost ~]# vim /etc/containers/storage.conf
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"
registries.conf(仓库配置文件)
配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改。
1./etc/containers/registries.conf
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf
授权文件
此文件里面写了docker账号的密码,以加密方式显示
root用户和普通用户的docker账号和密码授权是相同的
[root@localhost ~]# podman login
Username: shujiaming
Password:
Login Succeeded!
[root@localhost ~]# find / -name auth.json
/run/user/0/containers/auth.json
[root@localhost ~]# cat /run/user/0/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "Y2hlbmd4aW53YW5nOkN4dzMxODExMQ=="
}
}
}[root@localhost ~]# su - abc
[abc@localhost ~]$ podman login
Username: shujiaming
Password:
Login Succeeded!
[abc@localhost ~]$ find / -name auth.json
/tmp/podman-run-1000/containers/auth.json
[abc@localhost ~]$ cat /tmp/podman-run-1000/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "Y2hlbmd4aW53YW5nOkN4dzMxODExMQ=="
}
}
}[abc@localhost ~]$ exit
logout
普通用户是无法看见root用户的镜像和容器
//root用户
[root@localhost ~]# podman images
docker.io/library/nginx latest 605c77e624dd 7 months ago 146 MB
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c41be3a5f775 docker.io/library/nginx:latest nginx -g daemon o... 26 minutes ago Up 26 minutes ago web
//普通用户
[root@localhost ~]# su - abc
Last login: Wed Aug 17 12:16:06 CST 2022 on pts/1
[abc@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[abc@localhost ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
root用户也是无法看见普通用户的镜像和容器的
[abc@localhost ~]$ podman pull httpd //拉取镜像
Resolving "httpd" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob a2abf6c4d29d done
Copying blob d982c879c57e done
Copying blob dcc4698797c8 done
Copying blob 41c22baa66ec done
Copying blob 67283bbdd4a0 done
Copying config dabbfbe0c5 done
Writing manifest to image destination
Storing signatures
dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34
[abc@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
//创建容器
[abc@localhost ~]$ podman run -dit --name b1 -p 8080:80 httpd
d8af5833a2050fa7dc909495da840232476aef36765cdca1a715112f9205c8f5
[abc@localhost ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d8af5833a205 docker.io/library/httpd:latest httpd-foreground 5 seconds ago Up 5 seconds ago 0.0.0.0:8080->80/tcp b1
//root用户
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 605c77e624dd 7 months ago 146 MB
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c41be3a5f775 docker.io/library/nginx:latest nginx -g daemon o... 30 minutes ago Up 30 minutes ago web
卷
容器与root用户一起运行,则root容器中的用户实际上就是主机上的用户。
[abc@localhost ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d8af5833a205 docker.io/library/httpd:latest httpd-foreground 2 minutes ago Up 2 minutes ago 0.0.0.0:8080->80/tcp b1
[abc@localhost ~]$ podman exec -it b1 /bin/bash
root@d8af5833a205:/usr/local/apache2# id
uid=0(root) gid=0(root) groups=0(root)
UID GID是在/etc/subuid和/etc/subgid等中用户映射中指定的第一个UID GID。
如果普通用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则会看到它实际上是你的用户在主机上拥有的。
使用卷
[abc@localhost ~]$ pwd
/home/abc
[abc@localhost ~]$ mkdir /home/abc/abc
[abc@localhost ~]$ podman run -it -v "$(pwd)"/abc:/abc docker.io/library/busybox /bin/sh
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 5cc84ad355aa done
Copying config beae173cca done
Writing manifest to image destination
Storing signatures
/ # ls
abc dev home root sys usr
bin etc proc run tmp var
/ # ca abc/
/bin/sh: ca: not found
/ # cd /abc
/abc # touch 123
/abc # ls -l
total 0
-rw-r--r--. 1 root root 0 Aug 16 13:12 123
在普通用户主机上查看
[abc@localhost ~]$ ll abc/
total 0
-rw-r--r--. 1 zz zz 0 Aug 16 22:52 123
//在用户下写入文件
[abc@localhost ~]$ echo "hello world" >> abc/111
[abc@localhost ~]$ cat abc/111
hello world
查看容器
root@d8af5833a205:/abc# ls
111 123
root@d8af5833a205:/abc# cat 111
hello world
将容器中的目录和文件的属主和属组修改为zz
[abc@localhost ~]$ podman rm -f -l
3245c4c836b2ebb8ed441f30888daab043d4727bc9ed41014e71e5a104264bbd
[abc@localhost ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[abc@localhost ~]$ podman run -it --name test -v "$(pwd)"/abc:/abc --userns=keep-id docker.io/library/busybox /bin/sh
~ $ cd abc/
/abc $ ls -l
total 4
-rw-rw-r-- 1 zz zz 12 Aug 16 14:55 111
-rw-r--r-- 1 zz zz 0 Aug 16 14:52 123
使用普通用户映射容器端口时会报“ permission denied”的错误
[abc@localhost ~]$ podman run -dit --name xxx -p 80:80 httpd
Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied
普通用户可以映射>= 1024的端口
[abc@localhost ~]$ podman rm -f xxx
3539351a6ae543d12baaf52a96fa3c7a0ffef73c0f070d9cd2ce7b07ccb3dbbe
[abc@localhost ~]$ podman run -dit --name xxx -p 1024:80 httpd
6cc171b4af8d0c3e8a2d68b78cc45a3090229260da314436a5e6dbebece7b6d7
[abc@localhost ~]$ ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:8080 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:1024
配置echo ‘net.ipv4.ip_unprivileged_port_start=80’ >> /etc/sysctl.conf后可以映射大于等于80的端口
[root@localhost ~]# vim /etc/sysctl.conf
net.ipv4.ip_unprivileged_port_start = 80 //在最后添加
[root@localhost ~]# sysctl -p //立即生效
net.ipv4.ip_unprivileged_port_start = 80
//为了演示效果把root用户下的80端口的容器删除
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c41be3a5f775 docker.io/library/nginx:latest nginx -g daemon o... 55 minutes ago Up 55 minutes ago web
[root@localhost ~]# podman rm -f -l
c41be3a5f77552ef53e4b5e528d8f121763c308536e735c32f6763c405d4014c
//创建测试
[root@localhost ~]# podman run -dit --name xxx -p 80:80 httpd
WARN[0000] Ignoring global metacopy option, not supported with booted kernel
7a1d338cd3d61e89568a61f3c64da74f056d6c6d7c5ee9b04430e7c82e9462b7
浙公网安备 33010602011771号