podman的基本设置和使用

  • podman的基本设置和使用已关闭评论
  • 25 次浏览
  • A+
所属分类:linux技术
摘要

通过宿主机加上映射出来的端口进行访问:
您可以使用 Podman 查看容器的日志:


podman的基本设置和使用


运行httpd示例容器

[root@localhost ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d  > -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf  > -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/  > registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd Trying to pull registry.fedoraproject.org/f29/httpd:latest... Getting image source signatures Copying blob aaf5ad2e1aa3 done   Copying blob d77ff9f653ce done   Copying blob 7692efc5f81c done   Copying config 25c76f9dcd done   Writing manifest to image destination Storing signatures 995f7e14f01208bf6249253bb0e0d699790fb884c3c5974f1a35da1b486253f3 [root@localhost ~]# rpm -qa |grep slirp4netns slirp4netns-1.1.8-1.module_el8.5.0+890+6b136101.x86_64 //由于容器在分离模式下运行(在命令中由 -d 表示),因此 Podman 将在运行后打印容器 ID。请注意,我们使用端口转发来访问 HTTP 服务器。要成功运行,至少需要 slirp4netns v0.3.0。 

列出和检查正在运行的容器

[root@localhost ~]# podman ps CONTAINER ID  IMAGE                                        COMMAND               CREATED        STATUS            PORTS                   NAMES 995f7e14f012  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  3 minutes ago  Up 3 minutes ago  0.0.0.0:8080->8080/tcp  vibrant_cohen [root@localhost ~]# podman inspect -l |grep -i ipaddress             "IPAddress": "10.88.0.7",                     "IPAddress": "10.88.0.7", //检查正在运行的容器您可以“检查”正在运行的容器,以获取有关其自身的元数据和详细信息。我们甚至可以使用 inspect 子命令来查看分配给容器的 IP 地址。由于容器在无根模式下运行,因此不会分配 IP 地址,并且该值将在检查的输出中列为“无”。 注意:-l 是最新容器的便利参数。还可以使用容器的 ID 而不是 -l。 

测试httpd服务器

[root@localhost ~]# curl 10.88.0.7:8080 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">         <head>                 <title>Test Page for the Apache HTTP Server on Fedora</title>                 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />                 <style type="text/css">                         /*<![CDATA[*/ .... //由于我们没有容器的 IP 地址,我们可以使用 curl 测试宿主操作系统和容器之间的网络通信。 

通过宿主机加上映射出来的端口进行访问:
podman的基本设置和使用

查看容器日志

您可以使用 Podman 查看容器的日志:

[root@localhost ~]# podman logs -l => sourcing 10-set-mpm.sh ... => sourcing 20-copy-config.sh ... => sourcing 40-ssl-certs.sh ... AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.7. Set the 'ServerName' directive globally to suppress this message [Tue Aug 16 03:20:25.159854 2022] [ssl:warn] [pid 1:tid 139622578482560] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1b FIPS  26 Feb 2019, version currently loaded is OpenSSL 1.1.1 FIPS  11 Sep 2018) - may result in undefined or erroneous behavior [Tue Aug 16 03:20:25.160887 2022] [ssl:warn] [pid 1:tid 139622578482560] AH01909: 10.88.0.7:8443:0 server certificate does NOT include an ID which matches the server name AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.7. Set the 'ServerName' directive globally to suppress this message [Tue Aug 16 03:20:25.225009 2022] [ssl:warn] [pid 1:tid 139622578482560] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1b FIPS  26 Feb 2019, version currently loaded is OpenSSL 1.1.1 FIPS  11 Sep 2018) - may result in undefined or erroneous behavior [Tue Aug 16 03:20:25.226280 2022] [ssl:warn] [pid 1:tid 139622578482560] AH01909: 10.88.0.7:8443:0 server certificate does NOT include an ID which matches the server name .... //-l表示最新最近的意思 

查看容器的进程

您可以使用top观察容器中的 httpd pid

[root@localhost ~]# podman top -l USER        PID         PPID        %CPU        ELAPSED          TTY         TIME        COMMAND default     1           0           0.000       41m9.026176952s  pts/0       0s          httpd -D FOREGROUND  default     23          1           0.000       41m8.026462172s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat  default     24          1           0.000       41m8.026575142s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat  default     25          1           0.000       41m8.026627539s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat  default     26          1           0.000       41m8.026672671s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat  default     27          1           0.000       41m8.026720262s  pts/0       0s          httpd -D FOREGROUND  default     28          1           0.041       41m8.026771455s  pts/0       1s          httpd -D FOREGROUND  default     30          1           0.041       41m8.026815945s  pts/0       1s          httpd -D FOREGROUND  default     34          1           0.041       41m8.026862168s  pts/0       1s          httpd -D FOREGROUND  

对容器执行检查操作

检查点容器会停止容器,同时将容器中所有进程的状态写入磁盘。有了这个,容器可以稍后恢复并在与检查点完全相同的时间点继续运行。此功能需要在系统上安装 CRIU 3.11 或更高版本。此功能不支持为无根;因此,如果您想尝试它,您需要以 root 身份重新创建您的容器,使用相同的命令但使用 sudo

[root@localhost ~]# podman container ls CONTAINER ID  IMAGE                                        COMMAND               CREATED         STATUS             PORTS                   NAMES 995f7e14f012  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  44 minutes ago  Up 44 minutes ago  0.0.0.0:8080->8080/tcp  vibrant_cohen [root@localhost ~]# podman container checkpoint vibrant_cohen 995f7e14f01208bf6249253bb0e0d699790fb884c3c5974f1a35da1b486253f3 [root@localhost ~]# podman ps -a CONTAINER ID  IMAGE                                        COMMAND               CREATED         STATUS                         PORTS                   NAMES 995f7e14f012  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  46 minutes ago  Exited (0) About a minute ago  0.0.0.0:8080->8080/tcp  vibrant_cohen 

还原容器

还原容器仅适用于以前检查点的容器。还原的容器将继续在检查点操作的同一时间点运行。要恢复容器

[root@localhost ~]# podman container restore vibrant_cohen  995f7e14f01208bf6249253bb0e0d699790fb884c3c5974f1a35da1b486253f3 [root@localhost ~]# podman ps  CONTAINER ID  IMAGE                                        COMMAND               CREATED         STATUS             PORTS                   NAMES 995f7e14f012  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  48 minutes ago  Up 48 minutes ago  0.0.0.0:8080->8080/tcp  vibrant_cohen 

还原后,然后容器将会和检查点之前一样再次应答请求

[root@localhost ~]# curl 10.88.0.7:8080 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">         <head>                 <title>Test Page for the Apache HTTP Server on Fedora</title>                 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />                 <style type="text/css">                         /*<![CDATA[*/                         body { .... 

迁移容器

要将容器从一个主机实时迁移到另一个主机,容器将在迁移的源系统上执行检查点操作,传输到目标系统,然后在目标系统上还原。传输检查点时,可以指定输出文件
在源系统上面

[root@localhost ~]# podman container checkpoint vibrant_cohen -e /tmp/checkpoint.tar.gz      995f7e14f01208bf6249253bb0e0d699790fb884c3c5974f1a35da1b486253f3 //传输到检查点上 [root@localhost ~]# scp /tmp/checkpoint.tar.gz 192.168.222.251:/tmp The authenticity of host '192.168.222.251 (192.168.222.251)' can't be established. ECDSA key fingerprint is SHA256:y11UDaNXs3AnvVUnZQfAim2VHAplF09YOvQp2NemHyk. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.222.251' (ECDSA) to the list of known hosts. root@192.168.222.251's password:  checkpoint.tar.gz                                                100% 6761KB 128.9MB/s   00:00   

在目标系统上面

[root@localhost ~]# podman container restore -i /tmp/checkpoint.tar.gz Trying to pull registry.fedoraproject.org/f29/httpd:latest... Getting image source signatures Copying blob aaf5ad2e1aa3 done   Copying blob 7692efc5f81c done   Copying blob d77ff9f653ce done   Copying config 25c76f9dcd done   Writing manifest to image destination Storing signatures 995f7e14f01208bf6249253bb0e0d699790fb884c3c5974f1a35da1b486253f3 

用目标系统的ip进行访问:
podman的基本设置和使用

停止容器

停止httpd容器

[root@localhost ~]# podman stop -l 995f7e14f01208bf6249253bb0e0d699790fb884c3c5974f1a35da1b486253f3 [root@localhost ~]# podman ps -a CONTAINER ID  IMAGE                                        COMMAND               CREATED            STATUS                     PORTS                   NAMES 995f7e14f012  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  About an hour ago  Exited (0) 10 minutes ago  0.0.0.0:8080->8080/tcp  vibrant_cohen 

移除容器

删除httpd容器

[root@localhost ~]# podman rm -l 995f7e14f01208bf6249253bb0e0d699790fb884c3c5974f1a35da1b486253f3 [root@localhost ~]# podman ps -a CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES 

podman签名和分发容器并推送到harbor仓库中

对容器映像进行签名源于仅信任专用映像提供程序的动机,以缓解中间人 (MITM) 攻击或对容器注册表的攻击。对图像进行签名的一种方法是使用 GNU 隐私卫士 (GPG) 密钥。此技术通常与任何符合 OCI 的容器注册表(如 Quay.io)兼容。值得一提的是,OpenShift 集成容器注册表开箱即用地支持这种签名机制,这使得单独的签名存储变得不必要。

从技术角度来看,我们可以在将映像推送到远程注册表之前利用 Podman 对映像进行签名。之后,所有运行Podman的系统都必须配置为从远程服务器检索签名,远程服务器可以是任何简单的Web服务器。这意味着在映像拉取操作期间,每个未签名的映像都将被拒绝。但是这是如何工作的呢?

首先,我们必须创建一个GPG密钥对或选择一个本地可用的密钥对。要生成新的GPG密钥,只需运行并按照交互式对话框进行操作即可。现在我们应该能够验证密钥是否在本地存在:

[root@localhost ~]# gpg --full-gen-key  gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.  Please select what kind of key you want:    (1) RSA and RSA (default)    (2) DSA and Elgamal    (3) DSA (sign only)    (4) RSA (sign only)   (14) Existing key from card Your selection?  RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)  Requested keysize is 2048 bits Please specify how long the key should be valid.          0 = key does not expire       <n>  = key expires in n days       <n>w = key expires in n weeks       <n>m = key expires in n months       <n>y = key expires in n years Key is valid for? (0)  Key does not expire at all Is this correct? (y/N) y  GnuPG needs to construct a user ID to identify your key.  Real name: lvnanhai  //输入名字(最少五位) Email address: 136@.com  //输入邮箱 Comment: lnh      //评论 You selected this USER-ID:     "lvnanhai (lnh) <136@.com>"  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o(小写o) //设置密码需要超过8位,并需要带特殊符号,输入两遍 ┌─┐              │ Please enter the passphrase to                       │              │ protect your new key                                 │              │                                                      │              │ Passphrase: ***********              └─┘     <OK>                              <Cancel>     │               ┌─┐              │ Please re-enter this passphrase                      │              │                                                      │              │ Passphrase: ***********              │                                                      │              └─┘     <OK>                              <Cancel>     │ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 42BD2F6C7BE222CF marked as ultimately trusted gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/564E291CE58E890315892F7942BD2F6C7BE222CF.rev' public and secret key created and signed.  pub   rsa2048 2022-08-16 [SC]       564E291CE58E890315892F7942BD2F6C7BE222CF uid                      lvnanhai (lnh) <136@.com> sub   rsa2048 2022-08-16 [E] 

查看密钥

[root@localhost ~]# gpg --list-key lvnanhai gpg: checking the trustdb gpg: marginals needed: 3  completes needed: 1  trust model: pgp gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u pub   rsa2048 2022-08-16 [SC]       564E291CE58E890315892F7942BD2F6C7BE222CF uid           [ultimate] lvnanhai (lnh) <136@.com> sub   rsa2048 2022-08-16 [E] 

拉取镜像然后打印标签

[root@localhost ~]# podman images REPOSITORY                            TAG         IMAGE ID      CREATED        SIZE docker.io/library/httpd               latest      dabbfbe0c57b  7 months ago   148 MB 192.168.222.250/httpd                 v2          dabbfbe0c57b  7 months ago   148 MB 

通过命令对镜像进行签名。我们必须在以下位置修改我们的系统范围的注册表配置 /etc/containers/registries.d/default.yaml

[root@localhost ~]# cd /etc/containers/ [root@localhost containers]# ls certs.d  policy.json      registries.conf.d  storage.conf oci      registries.conf  registries.d [root@localhost containers]# cd registries.d/ [root@localhost registries.d]# ls default.yaml  registry.access.redhat.com.yaml  registry.redhat.io.yaml [root@localhost registries.d]# vim default.yaml  default-docker: #  sigstore: file:///var/lib/containers/sigstore   sigstore: http://192.168.222.251:80		//添加   sigstore-staging: file:///var/lib/containers/sigstore 

推送签署镜像

[root@localhost ~]# podman push --tls-verify=false --sign-by lvnanhai 192.168.222.250/httpd:v2