podman基础用法

  • podman基础用法已关闭评论
  • 29 次浏览
  • A+
所属分类:linux技术
摘要

查看版本查看详细信息搜索镜像拉取镜像列出镜像删除镜像导出镜像导入镜像


podman基础用法

podman常用命令

查看版本

[root@localhost ~]# podman -v podman version 3.3.1 [root@localhost ~]# podman version Version:      3.3.1 API Version:  3.3.1 Go Version:   go1.16.7 Built:        Wed Nov 10 05:23:56 2021 OS/Arch:      linux/amd64 [root@localhost ~]#  

查看详细信息

[root@localhost ~]# podman info host:   arch: amd64   buildahVersion: 1.22.3   cgroupManager: systemd   cgroupVersion: v1   conmon:     package: conmon-2.0.29-1.module_el8.5.0+890+6b136101.x86_64     path: /usr/bin/conmon     version: 'conmon version 2.0.29, commit: 84384406047fae626269133e1951c4b92eed7603'   cpus: 4   distribution:     distribution: '"centos"'     version: "8" -----------------省略-------------------- imageStore:     number: 1   runRoot: /run/containers/storage   volumePath: /var/lib/containers/storage/volumes version:   APIVersion: 3.3.1   Built: 1636493036   BuiltTime: Wed Nov 10 05:23:56 2021   GitCommit: ""   GoVersion: go1.16.7   OsArch: linux/amd64   Version: 3.3.1 

搜索镜像

[root@localhost ~]# podman search httpd INDEX       NAME                                          DESCRIPTION                                      STARS       OFFICIAL    AUTOMATED docker.io   docker.io/library/httpd                       The Apache HTTP Server Project                   4116        [OK]         docker.io   docker.io/clearlinux/httpd                    httpd HyperText Transfer Protocol (HTTP) ser...  2                        docker.io   docker.io/centos/httpd-24-centos7             Platform for running Apache httpd 2.4 or bui...  44                       docker.io   docker.io/manageiq/httpd                      Container with httpd, built on CentOS for Ma...  1                       [OK] 

拉取镜像

[root@localhost ~]# podman pull httpd Resolving "httpd" using unqualified-search registries (/etc/containers/registries.conf) Trying to pull docker.io/library/httpd:latest... Getting image source signatures Copying blob dcc4698797c8 done   Copying blob 41c22baa66ec done   Copying blob d982c879c57e done   Copying blob a2abf6c4d29d done   Copying blob 67283bbdd4a0 done   Copying config dabbfbe0c5 done   Writing manifest to image destination Storing signatures dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34 

列出镜像

[root@localhost ~]# podman images REPOSITORY               TAG         IMAGE ID      CREATED       SIZE docker.io/library/httpd  latest      dabbfbe0c57b  7 months ago  148 MB  [root@localhost ~]# podman image ls REPOSITORY               TAG         IMAGE ID      CREATED       SIZE docker.io/library/httpd  latest      dabbfbe0c57b  7 months ago  148 MB  

删除镜像

[root@localhost ~]# podman rmi httpd Untagged: docker.io/library/httpd:latest Deleted: dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34 [root@localhost ~]# podman images REPOSITORY  TAG         IMAGE ID    CREATED     SIZE  [root@localhost ~]# podman image rm httpd Untagged: docker.io/library/httpd:latest Deleted: dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34 [root@localhost ~]# podman images REPOSITORY  TAG         IMAGE ID    CREATED     SIZE  [root@localhost ~]# podman rmi -f httpd Untagged: docker.io/library/httpd:latest Deleted: dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34 [root@localhost ~]# podman images REPOSITORY  TAG         IMAGE ID    CREATED     SIZE 

导出镜像

[root@localhost ~]# podman image save httpd > httod.tar [root@localhost ~]# ls anaconda-ks.cfg  httod.tar 

导入镜像

[root@localhost ~]# podman images REPOSITORY               TAG         IMAGE ID      CREATED       SIZE docker.io/library/httpd  latest      dabbfbe0c57b  7 months ago  148 MB [root@localhost ~]# podman rmi httpd Untagged: docker.io/library/httpd:latest Deleted: dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34 [root@localhost ~]# podman images REPOSITORY  TAG         IMAGE ID    CREATED     SIZE [root@localhost ~]# podman image load < httod.tar  Getting image source signatures Copying blob deefaa620a71 done   Copying blob 1da636a1aa95 done   Copying blob 2edcec3590a4 done   Copying blob 15e4bf5d0804 done   Copying blob 9cff3206f9a6 done   Copying config dabbfbe0c5 done   Writing manifest to image destination Storing signatures Loaded image(s): docker.io/library/httpd:latest [root@localhost ~]# podman images REPOSITORY               TAG         IMAGE ID      CREATED       SIZE docker.io/library/httpd  latest      dabbfbe0c57b  7 months ago  148 MB 

创建容器

//podman create 创建容器 [root@localhost ~]# podman create httpd		//创建但不启动容器 5d0bd832c2d6477ba535819abc1c4072ce17fa4feab015b4e92c72c9fb053831 

创建并启动容器

//podman run 创建一个运行的容器 [root@localhost ~]# podman run -it --name web httpd /bin/bash root@9868d220012a:~#   --name 容器名 //指定容器名 --label 标记名 //加标记方便查找 -it   //让容器的输入保持打开状态,并分配终端 -c    //不进行登录执行命令 -d    //将容器放入后台进行执行 -v     //可以创建多个数据卷也可挂载到宿主机的目录,如果本地没有目录,则自动生成一个目录        //挂载方法:宿主机目录:docker数据卷 -p     //小写p映射端口   宿主机端:容器端口 -P      //大写P发布所有公开的端口(随机映射端口号) --volumes-from  //容器和容器之间建立联系 ----restart always //永久开启容器,服务重启后容器也会启动,不会关闭 --rm //一次性容器,退出后直接删除 

列出容器

[root@localhost ~]# podman ps CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES  //-a 查看全部容器,包含未启动的容器 [root@localhost ~]# podman ps -a			 CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS      PORTS       NAMES 5d0bd832c2d6  docker.io/library/httpd:latest  httpd-foreground  2 minutes ago  Created                 friendly_ritchie 

启动一个或多个容器

[root@localhost ~]# podman start web web 

停止一个或多个容器

[root@localhost ~]# podman stop web web 

重启容器

[root@localhost ~]# podman restart web 1a779a889fd2d0758f1b1672a9142358153327f9ec00765e62641ce0fee79497 

连接到运行的容器

[root@localhost ~]# podman attach web		//退出会关闭 root@1a779a889fd2# exit 

在正在运行的容器中运行命令

[root@localhost ~]# podman exec -it web /bin/sh			//退出不会停止 # ls bin  build  cgi-bin  conf  error  htdocs  icons  include  logs  modules # exit [root@localhost ~]# podman ps CONTAINER ID  IMAGE                           COMMAND     CREATED        STATUS             PORTS               NAMES 0118e5cab030  docker.io/library/httpd:latest  /bin/bash   4 minutes ago  Up 54 seconds ago  0.0.0.0:80->80/tcp  web 

删除容器

[root@localhost ~]# podman ps -a CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS      PORTS       NAMES 5d0bd832c2d6  docker.io/library/httpd:latest  httpd-foreground  2 minutes ago  Created                 friendly_ritchie [root@localhost ~]# podman rm 5d0bd832c2d6 5d0bd832c2d6477ba535819abc1c4072ce17fa4feab015b4e92c72c9fb053831 [root@localhost ~]# podman ps -a CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES  [root@localhost ~]# podman ps -a		 CONTAINER ID  IMAGE                           COMMAND           CREATED         STATUS      PORTS       NAMES 391246a3e97d  docker.io/library/httpd:latest  httpd-foreground  12 seconds ago  Created                 condescending_cartwright [root@localhost ~]# podman rm -f 391246a3e97d	//-f  强制删除 391246a3e97d071e4da2ac4dbe7b4414e99ac840edc67adaf1c7d9c04f5c9abf [root@localhost ~]# podman ps -a CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES 

查看容器日志

[root@localhost ~]# docker logs web AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message [Fri Aug 05 15:17:38.444681 2022] [mpm_event:notice] [pid 1:tid 139833106722112] AH00489: Apache/2.4.52 (Unix) configured -- resuming normal operations 

干掉运行中的容器

[root@localhost ~]# docker kill web		//kill强制关闭 web [root@localhost ~]# docker ps -a CONTAINER ID   IMAGE     COMMAND              CREATED         STATUS                       PORTS     NAMES 9fdaf3c409da   httpd     "httpd-foreground"   6 minutes ago   Exited (137) 4 seconds ago             web 

显示容器或镜像的配置

[root@localhost ~]# podman inspect httpd [     {         "Id": "dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34",         "Digest": "sha256:0954cc1af252d824860b2c5dc0a10720af2b7a3d3435581ca788dff8480c7b32",         "RepoTags": [             "docker.io/library/httpd:latest"         ],         "RepoDigests": [             "docker.io/library/httpd@sha256:0954cc1af252d824860b2c5dc0a10720af2b7a3d3435581ca788dff8480c7b32",             "docker.io/library/httpd@sha256:57c1e4ff150e2782a25c8cebb80b574f81f06b74944caf972f27e21b76074194"         ] 

登录镜像仓库

[root@localhost ~]# podman login docker.io Username: xinruizhong Password:  Login Succeeded! 

登出镜像仓库

[root@localhost ~]# podman logout docker.io Removed login credentials for docker.io 

显示指定镜像的历史记录

[root@localhost ~]# podman image history httpd ID            CREATED       CREATED BY                                     SIZE              COMMENT dabbfbe0c57b  7 months ago  /bin/sh -c #(nop)  CMD ["httpd-foreground"]    0 B                <missing>     7 months ago  /bin/sh -c #(nop)  EXPOSE 80                   0 B                <missing>     7 months ago  /bin/sh -c #(nop) COPY file:c432ff61c4993e...  3.58 kB            <missing>     7 months ago  /bin/sh -c #(nop)  STOPSIGNAL SIGWINCH         0 B                <missing>     7 months ago  /bin/sh -c set -eux;                                             savedAptMark="$(apt...  61.1 MB      

列出端口映射或容器的特定映射

[root@localhost ~]# podman port web 80/tcp -> 0.0.0.0:80 

重命名现有的容器

[root@localhost ~]# podman ps CONTAINER ID  IMAGE                           COMMAND     CREATED        STATUS            PORTS               NAMES 7403c4f042b4  docker.io/library/httpd:latest  /bin/sh     2 minutes ago  Up 2 minutes ago  0.0.0.0:80->80/tcp  web [root@localhost ~]# podman rename web httpd [root@localhost ~]# podman ps CONTAINER ID  IMAGE                           COMMAND     CREATED        STATUS            PORTS               NAMES 7403c4f042b4  docker.io/library/httpd:latest  /bin/sh     3 minutes ago  Up 2 minutes ago  0.0.0.0:80->80/tcp  httpd 

显示一个容器的运行进程

[root@localhost ~]# podman top web USER        PID         PPID        %CPU        ELAPSED          TTY         TIME        COMMAND root        1           0           0.000       5m56.414637232s  ?           0s          httpd -DFOREGROUND  www-data    8           1           0.000       5m55.414828093s  ?           0s          httpd -DFOREGROUND  www-data    9           1           0.000       5m55.414853952s  ?           0s          httpd -DFOREGROUND  www-data    10          1           0.000       5m55.414877937s  ?           0s          httpd -DFOREGROUND  

给本地镜像添加标签

root@localhost ~]# podman images  REPOSITORY               TAG         IMAGE ID      CREATED       SIZE docker.io/library/httpd  latest      dabbfbe0c57b  7 months ago  148 MB [root@localhost ~]# podman tag docker.io/library/httpd docker.io/library/httpd:v0.1 [root@localhost ~]# podman images  REPOSITORY               TAG         IMAGE ID      CREATED       SIZE docker.io/library/httpd  latest      dabbfbe0c57b  7 months ago  148 MB docker.io/library/httpd  v0.1        dabbfbe0c57b  7 months ago  148 MB 

podman生成

[root@localhost ~]# podman generate systemd --help Generate systemd units.  Description:   Generate systemd units for a pod or container.   The generated units can later be controlled via systemctl(1).  Usage:   podman generate systemd [options] {CONTAINER|POD}  Examples:   podman generate systemd CTR   podman generate systemd --new --time 10 CTR   podman generate systemd --files --name POD  Options:       --container-prefix string   Systemd unit name prefix for containers (default "container")   -f, --files                     Generate .service files instead of printing to stdout       --format string             Print the created units in specified format (json)   -n, --name                      Use container/pod names instead of IDs       --new                       Create a new container instead of starting an existing one       --no-header                 Skip header generation       --pod-prefix string         Systemd unit name prefix for pods (default "pod")       --restart-policy string     Systemd restart-policy (default "on-failure")       --separator string          Systemd unit name separator between name/id and prefix (default "-")   -t, --time uint                 Stop timeout override (default 10)  //示例 [root@localhost ~]# podman generate systemd --name web --files --new /root/container-web.service [root@localhost ~]# cp /root/container-web.service /usr/lib/systemd/system/ [root@localhost ~]# systemctl daemon-reload [root@localhost ~]# systemctl status container-web.service  ● container-web.service - Podman container-web.service    Loaded: loaded (/usr/lib/systemd/system/container-web.service; disabled; vendor preset: disabl>    Active: inactive (dead)      Docs: man:podman-generate-systemd(1)      [root@localhost ~]# systemctl enable --now container-web.service  Created symlink /etc/systemd/system/multi-user.target.wants/container-web.service → /usr/lib/systemd/system/container-web.service. Created symlink /etc/systemd/system/default.target.wants/container-web.service → /usr/lib/systemd/system/container-web.service. 

显示容器资源使用统计的实时流

[root@localhost ~]# podman stats web ID            NAME        CPU %       MEM USAGE / LIMIT  MEM %       NET IO             BLOCK IO      PIDS        CPU TIME     AVG CPU % 1d337a97c9a0  web         0.01%       27.96MB / 3.885GB  0.72%       1.604kB / 2.205kB  8.192kB / 0B  82          74.971194ms  0.00% 

卸载工作容器的根文件系统

[root@localhost ~]# podman umount web web [root@localhost ~]# podman exec -it web /bin/sh		//卸载后无法进入容器 Error: exec failed: container_linux.go:380: starting container process caused: process_linux.go:99: starting setns process caused: fork/exec /proc/self/exe: no such file or directory: OCI runtime attempted to invoke a command that was not found 

挂载工作容器的根文件系统

[root@localhost ~]# podman mount web /var/lib/containers/storage/overlay/e190e6ad8069bc29d32418a2eeb3f9d7d4a7d831a1a36cc97ef5f5d6111b8b2b/merged [root@localhost ~]# podman exec -it web /bin/sh # exit 

podman的基础设置和使用

Podman 是作为 libpod 库的一部分提供的实用程序。它可用于创建和维护容器。以下是Podman 执行一些基本命令

运行示例容器

因为容器在分离模式下运行,由命令中的-dpodman run表示,所以 Podman 将在运行后打印容器 ID。请注意,我们使用端口转发来访问 HTTP 服务器。为了成功运行,至少需要 slirp4netns v0.3.0。

[root@localhost ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d   -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf   -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/   registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd Trying to pull registry.fedoraproject.org/f29/httpd:latest... Getting image source signatures Copying blob d77ff9f653ce done   Copying blob aaf5ad2e1aa3 done   Copying blob 7692efc5f81c done   Copying config 25c76f9dcd done   Writing manifest to image destination Storing signatures 364db788cd5751eb07bec9d6acabcfc5c2f4bc4f591c5e16e64d5ffb2b9aeb62 [root@localhost ~]# rpm -qa |grep slirp4netns slirp4netns-1.1.8-1.module_el8.5.0+890+6b136101.x86_64 

列出正在运行的容器

Podman ps命令用于列出创建和运行的容器。

[root@localhost ~]# podman ps  CONTAINER ID  IMAGE                                        COMMAND               CREATED        STATUS            PORTS                   NAMES 364db788cd57  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  2 minutes ago  Up 2 minutes ago  0.0.0.0:8080->8080/tcp  festive_hermann 
参数: -a 或 --all    //列出所有容器,包括未运行 -s  或 --size  //查看本地机上所有运行实例的大小 -q  或 --quiet //查看容器id 

检查正在运行的容器

您可以“检查”正在运行的容器以获取有关其自身的元数据和详细信息。我们甚至可以使用 inspect 子命令来查看分配给容器的 IP 地址。由于容器在无根模式下运行,因此未分配 IP 地址,并且该值将在 inspect 的输出中列为“无”。

[root@localhost ~]# podman inspect -l |grep -i ipaddress             "IPAddress": "10.88.0.2",                     "IPAddress": "10.88.0.2", 

测试httpd服务器

由于我们没有容器的 IP 地址,我们可以使用 curl 测试宿主操作系统和容器之间的网络通信。以下命令应该显示我们容器化 httpd 服务器的索引页面。

[root@localhost ~]# curl 10.88.0.2:8080			//需要跟8080端口号 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">         <head>                 <title>Test Page for the Apache HTTP Server on Fedora</title>                 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> 

通过宿主机加上映射出来的端口进行访问

podman基础用法

查看容器的日志

您也可以使用 Podman 查看容器的日志:

[root@localhost ~]# podman logs -l => sourcing 10-set-mpm.sh ... => sourcing 20-copy-config.sh ... => sourcing 40-ssl-certs.sh ... AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.2. Set the 'ServerName' directive globally to suppress this message [Mon Aug 15 15:20:46.005433 2022] [ssl:warn] [pid 1:tid 139972014361984] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1b FIPS  26 Feb 2019, version currently loaded is OpenSSL 1.1.1 FIPS  11 Sep 2018) - may result in undefined or erroneous behavior [Mon Aug 15 15:20:46.006165 2022] [ssl:warn] [pid 1:tid 139972014361984] AH01909: 10.88.0.2:8443:0 server certificate does NOT include an ID which matches the server name 

查看容器进程pid

您可以使用top观察容器中的 httpd pid 。

[root@localhost ~]# podman top -l USER        PID         PPID        %CPU        ELAPSED          TTY         TIME        COMMAND default     1           0           0.000       9m46.752864551s  pts/0       0s          httpd -D FOREGROUND  default     23          1           0.000       9m46.753000255s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat  default     24          1           0.000       9m46.753028749s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat  default     25          1           0.000       9m46.753057272s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat  default     26          1           0.000       9m46.753080013s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat  default     27          1           0.000       9m46.753102749s  pts/0       0s          httpd -D FOREGROUND  default     28          1           0.000       9m46.753125034s  pts/0       0s          httpd -D FOREGROUND  default     32          1           0.000       9m46.753148102s  pts/0       0s          httpd -D FOREGROUND  default     47          1           0.000       9m46.753176176s  pts/0       0s          httpd -D FOREGROUND  

对容器执行检查操作

检查点容器会停止容器,同时将容器中所有进程的状态写入磁盘。有了这个,容器可以稍后恢复并在与检查点完全相同的时间点继续运行。此功能需要在系统上安装 CRIU 3.11 或更高版本。此功能不支持为无根;因此,如果您想尝试它,您需要以 root 身份重新创建您的容器,使用相同的命令但使用 sudo。

[root@localhost ~]# podman container checkpoint festive_hermann 364db788cd5751eb07bec9d6acabcfc5c2f4bc4f591c5e16e64d5ffb2b9aeb62 [root@localhost ~]# podman ps -a CONTAINER ID  IMAGE                                        COMMAND               CREATED         STATUS                    PORTS                   NAMES 364db788cd57  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  20 minutes ago  Exited (0) 8 seconds ago  0.0.0.0:8080->8080/tcp  festive_hermann 

还原容器

还原容器仅适用于以前检查点的容器。还原的容器将继续在检查点操作的同一时间点运行。要恢复容器

[root@localhost ~]# podman container restore festive_hermann 364db788cd5751eb07bec9d6acabcfc5c2f4bc4f591c5e16e64d5ffb2b9aeb62 [root@localhost ~]# podman ps  CONTAINER ID  IMAGE                                        COMMAND               CREATED         STATUS             PORTS                   NAMES 364db788cd57  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  21 minutes ago  Up 21 minutes ago  0.0.0.0:8080->8080/tcp  festive_hermann 

还原后,然后容器将像检查点之前一样再次应答请求

[root@localhost ~]# curl 10.88.0.2:8080 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">         <head>                 <title>Test Page for the Apache HTTP Server on Fedora</title>                 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> 

迁移容器

要将容器从一个主机实时迁移到另一个主机,容器将在迁移的源系统上执行检查点操作,传输到目标系统,然后在目标系统上还原。传输检查点时,可以指定输出文件。

在源系统上:

[root@localhost ~]# podman container checkpoint festive_hermann -e /tmp/checkpoint.tar.gz 364db788cd5751eb07bec9d6acabcfc5c2f4bc4f591c5e16e64d5ffb2b9aeb62  //传输到检查点上 [root@localhost ~]# scp /tmp/checkpoint.tar.gz 192.168.111.135:/tmp The authenticity of host '192.168.111.135 (192.168.111.135)' can't be established. ECDSA key fingerprint is SHA256:AneDLcALQuLH7WhrvDCtu+7mdCXjrXa87i7CQ+01ntk. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.111.135' (ECDSA) to the list of known hosts. root@192.168.111.135's password:  checkpoint.tar.gz                 100% 4307KB  58.9MB/s   00:00     

在目标容器上:

[root@localhost ~]# podman container restore -i /tmp/checkpoint.tar.gz  Trying to pull registry.fedoraproject.org/f29/httpd:latest... Getting image source signatures Copying blob d77ff9f653ce done   Copying blob aaf5ad2e1aa3 done   Copying blob 7692efc5f81c done   Copying config 25c76f9dcd done   Writing manifest to image destination Storing signatures 364db788cd5751eb07bec9d6acabcfc5c2f4bc4f591c5e16e64d5ffb2b9aeb62 

访问一下

podman基础用法

停止容器

要停止httpd容器

[root@localhost ~]# podman stop -l 364db788cd5751eb07bec9d6acabcfc5c2f4bc4f591c5e16e64d5ffb2b9aeb62 [root@localhost ~]# podman ps -a CONTAINER ID  IMAGE                                        COMMAND               CREATED             STATUS                    PORTS                   NAMES 364db788cd57  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  About a minute ago  Exited (0) 6 seconds ago  0.0.0.0:8080->8080/tcp  festive_hermann 

移除容器

删除httpd容器

[root@localhost ~]# podman rm -l 364db788cd5751eb07bec9d6acabcfc5c2f4bc4f591c5e16e64d5ffb2b9aeb62 [root@localhost ~]# podman ps -a CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES 

podman签名和分发容器并推送到harbor仓库中

对容器映像进行签名源于仅信任专用映像提供程序的动机,以缓解中间人 (MITM) 攻击或对容器注册表的攻击。对图像进行签名的一种方法是使用 GNU 隐私卫士 (GPG) 密钥。此技术通常与任何符合 OCI 的容器注册表(如 Quay.io)兼容。值得一提的是,OpenShift 集成容器注册表开箱即用地支持这种签名机制,这使得单独的签名存储变得不必要。

从技术角度来看,我们可以在将映像推送到远程注册表之前利用 Podman 对映像进行签名。之后,所有运行Podman的系统都必须配置为从远程服务器检索签名,远程服务器可以是任何简单的Web服务器。这意味着在映像拉取操作期间,每个未签名的映像都将被拒绝。但是这是如何工作的呢?

首先,我们必须创建一个GPG密钥对或选择一个本地可用的密钥对。要生成新的GPG密钥,只需运行并按照交互式对话框进行操作即可。现在我们应该能够验证密钥是否在本地存在:

[root@localhost ~]# gpg --full-gen-key gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.  Please select what kind of key you want:    (1) RSA and RSA (default)    (2) DSA and Elgamal    (3) DSA (sign only)    (4) RSA (sign only)   (14) Existing key from card Your selection?  RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)  Requested keysize is 2048 bits Please specify how long the key should be valid.          0 = key does not expire       <n>  = key expires in n days       <n>w = key expires in n weeks       <n>m = key expires in n months       <n>y = key expires in n years Key is valid for? (0)  Key does not expire at all Is this correct? (y/N) y  GnuPG needs to construct a user ID to identify your key.  Real name: zhongxr  Email address: 1@2.com Comment: zxr    You selected this USER-ID:     "zhongxr (zxr) <1@2.com>"  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O //设置密码需要超过8位,并需要带特殊符号,输入两遍              ┌─┐              │ Please enter the passphrase to                       │              │ protect your new key                                 │              │                                                      │              │ Passphrase: ***********              └─┘     <OK>                              <Cancel>     │               ┌─┐              │ Please re-enter this passphrase                      │              │                                                      │              │ Passphrase: ***********              │                                                      │              └─┘     <OK>                              <Cancel>     │ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 5DC83A553D298F98 marked as ultimately trusted gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/FF46300F530BFC8CE64D05FF5DC83A553D298F98.rev' public and secret key created and signed.  pub   rsa2048 2022-08-15 [SC]       FF46300F530BFC8CE64D05FF5DC83A553D298F98 uid                      zhongxr (zxr) <1@2.com> sub   rsa2048 2022-08-15 [E] 

查看密钥

[root@localhost ~]# gpg --list-keys zhongxr gpg: checking the trustdb gpg: marginals needed: 3  completes needed: 1  trust model: pgp gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u pub   rsa2048 2022-08-15 [SC]       FF46300F530BFC8CE64D05FF5DC83A553D298F98 uid           [ultimate] zhongxr (zxr) <1@2.com> sub   rsa2048 2022-08-15 [E] 

为签名选择一个标准的镜像

[root@localhost ~]# podman pull docker://docker.io/alpine:latest Trying to pull docker.io/library/alpine:latest... Getting image source signatures Copying blob 59bf1c3509f3 done   Copying config c059bfaa84 done   Writing manifest to image destination Storing signatures c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18 [root@localhost ~]# podman images alpine REPOSITORY                TAG         IMAGE ID      CREATED       SIZE docker.io/library/alpine  latest      c059bfaa849c  8 months ago  5.87 MB 

需要部署harbor仓库

部署harbor仓库

给alpine打个标签

[root@localhost ~]# podman tag docker.io/library/alpine 192.168.111.135/alpine:v1 [root@localhost ~]# podman images alpine REPOSITORY                TAG         IMAGE ID      CREATED       SIZE docker.io/library/alpine  latest      c059bfaa849c  8 months ago  5.87 MB 192.168.111.135/alpine    v1          c059bfaa849c  8 months ago  5.87 MB 

通过命令对镜像进行签名。我们必须在以下位置修改我们的系统范围的注册表配置 /etc/containers/registries.d/default.yaml

[root@localhost ~]# cd /etc/containers/ [root@localhost containers]# ls certs.d  policy.json      registries.conf.d  storage.conf oci      registries.conf  registries.d [root@localhost containers]# cd registries.d/ [root@localhost registries.d]# ls default.yaml  registry.access.redhat.com.yaml  registry.redhat.io.yaml [root@localhost registries.d]# vim default.yaml  default-docker: #  sigstore: file:///var/lib/containers/sigstore   sigstore: http://192.168.111.135:80		//添加   sigstore-staging: file:///var/lib/containers/sigstore 

推送并签署镜像

[root@localhost ~]# podman push --tls-verify=false --sign-by zhongxr 192.168.111.135/alpine:v1