无根用户管理podman

  • 无根用户管理podman已关闭评论
  • 46 次浏览
  • A+
所属分类:linux技术
摘要

在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置


无根用户管理podman

在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置

基础设置

cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroupV2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroupV2,必须切换到备用OCI运行时crun。

[root@localhost ~]# dnf -y install crun 			//centos8自带,可以直接进行安装 [root@localhost ~]# vim /usr/share/containers/containers.conf  runtime = "crun"				//取消注释 #runtime = "runc"				//注释掉 //启动一个容器 [root@localhost ~]# podman run -d --name web nginx Resolving "nginx" using unqualified-search registries (/etc/containers/registries.conf) Trying to pull docker.io/library/nginx:latest... Getting image source signatures Copying blob b4df32aa5a72 done   Copying blob 589b7251471a done   Copying blob a0bcbecc962e done   Copying blob 186b1aaa4aa6 done   Copying blob a2abf6c4d29d done   Copying blob a9edb18cadd1 done   Copying config 605c77e624 done   Writing manifest to image destination Storing signatures 230ef7f477fe7b5348bbef97ac6c28d3a38b2a535f5398b06b735530922d9634 [root@localhost ~]# podman ps CONTAINER ID  IMAGE                           COMMAND               CREATED         STATUS             PORTS       NAMES 230ef7f477fe  docker.io/library/nginx:latest  nginx -g daemon o...  13 seconds ago  Up 13 seconds ago              web [root@localhost ~]# podman inspect web | grep -i ociruntime         "OCIRuntime": "crun", 

安装slirp4netns和fuse-overlayfs

在普通用户环境中使用Podman时,建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6。现在新版本默认就是了

[root@localhost ~]# dnf -y install slirp4netns fuse-overlayfs [root@localhost ~]# vim /etc/containers/storage.conf  mount_program = "/usr/bin/fuse-overlayfs"			//取消注释 

subuid和 subgid配置

Podman要求运行它的用户在/ etc / subuid和/ etc / subgid文件中列出一系列UID,shadow-utils或newuid包提供这些文件

[root@localhost ~]# yum -y install shadow-utils //可以在/etc/ subuid和/etc/ subgid查看,每个用户的值必须唯一且没有任何重叠。 [[root@localhost ~]# useradd zz [root@localhost ~]# cat /etc/subuid zz:100000:65536 [root@localhost ~]# cat /etc/subgid zz:100000:65536 [root@localhost ~]#   //可以在/etc/subuid和/etc/subgid查看,每个用户的值必须唯一且没有任何重叠。 [root@localhost ~]# vim /etc/sysctl.conf  net.ipve4.ping_group_range=0 200000				//添加此行,大于100000这个就表示tom可以操作podman 

这个文件的格式是 USERNAME:UID:RANGE中/etc/passwd或输出中列出的用户名getpwent。

  • 为用户分配的初始 UID。
  • 为用户分配的 UID 范围的大小。

该usermod程序可用于为用户分配 UID 和 GID,而不是直接更新文件。

[root@localhost ~]# useradd xx [root@localhost ~]# cat /etc/subuid /etc/subgid zz:100000:65536 xx:165536:65536 zz:100000:65536 xx:165536:65536 [root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 xx [root@localhost ~]# cat /etc/subuid /etc/subgid zz:100000:65536 xx:165536:65536 zz:100000:65536 xx:165536:65536 [root@localhost ~]# usermod --del-subuids 165536-231072 --del-subgids 165536-231072 xx			//--del 删除 [root@localhost ~]# cat /etc/subuid /etc/subgid zz:100000:65536 zz:100000:65536 [root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 xx			//--add 添加 [root@localhost ~]# cat /etc/subuid /etc/subgid zz:100000:65536 xx:200000:1001 zz:100000:65536 xx:200000:1001 

用户配置文件

三个主要的配置文件是container.confstorage.confregistries.conf。用户可以根据需要修改这些文件。

container.conf(容器配置文件)

//查看用户配置文件方法 [root@localhost ~]# cat /usr/share/containers/containers.conf 	//常用 //方法 [root@localhost ~]# cat /etc/containers/containers.conf			 [root@localhost ~]# cat ~/.config/containers/containers.conf	//优先级最高 

如果它们以该顺序存在。每个文件都可以覆盖特定字段的前一个文件。

storage.conf(存储配文件)

1./etc/containers/storage.conf 2.$HOME/.config/containers/storage.conf 

在普通用户中/etc/containers/storage.conf的一些字段将被忽略

[root@localhost ~]# vim /etc/containers/storage.conf  //查找driver driver = "overlay"			//此处为overlay //查找mount_program mount_program = "/usr/bin/fuse-overlayfs"		//取消注释  [root@localhost ~]# vim /etc/sysctl.conf 		//如果版本为8以下,则需要做,设置无根用户数量 user.max_user_namepaces=15000				//添加 

在普通用户中这袭人默认字段

[root@localhost ~]# vim /etc/containers/storage.conf  runroot = "/run/containers/storage" graphroot = "/var/lib/containers/storage" 

registries.conf(仓库配置文件)

配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改。

1./etc/containers/registries.conf 2./etc/containers/registries.d/* 3.HOME/.config/containers/registries.conf 

授权文件

此文件里面写了docker账号的密码,以加密方式显示

root用户和普通用户的docker账号和密码授权是相同的

[root@localhost ~]# podman login Username: xinruizhong Password:  Login Succeeded! [root@localhost ~]# find / -name auth.json /run/user/0/containers/auth.json [root@localhost ~]# cat /run/user/0/containers/auth.json  {         "auths": {                 "docker.io": {                         "auth": "eGlucnVpemhvbmc6WnoyMDAyMDYyNS4u"                 }         } } [root@localhost ~]# su - zz [zz@localhost ~]$ podman login Username: xinruizhong Password:  Login Succeeded! [zz@localhost ~]$ find / -name auth.json /tmp/podman-run-1000/containers/auth.json [zz@localhost ~]$ cat /tmp/podman-run-1000/containers/auth.json  {         "auths": {                 "docker.io": {                         "auth": "eGlucnVpemhvbmc6WnoyMDAyMDYyNS4u"                 }         } } [zz@localhost ~]$ exit logout [root@localhost ~]#  

普通用户是无法看见root用户的镜像和容器

//root用户 [root@localhost ~]# podman images REPOSITORY               TAG         IMAGE ID      CREATED       SIZE docker.io/library/nginx  latest      605c77e624dd  7 months ago  146 MB [root@localhost ~]# podman ps -a CONTAINER ID  IMAGE                           COMMAND               CREATED      STATUS          PORTS       NAMES 230ef7f477fe  docker.io/library/nginx:latest  nginx -g daemon o...  2 hours ago  Up 2 hours ago              web  //普通用户 [root@localhost ~]# su - zz Last login: Tue Aug 16 22:19:02 CST 2022 on pts/2 [zz@localhost ~]$ podman images REPOSITORY  TAG         IMAGE ID    CREATED     SIZE [zz@localhost ~]$ podman ps -a CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES 

root用户也是无法看见普通用户的镜像和容器的

//普通用户 [zz@localhost ~]$ podman pull httpd		//拉取镜像 Resolving "httpd" using unqualified-search registries (/etc/containers/registries.conf) Trying to pull docker.io/library/httpd:latest... Getting image source signatures Copying blob aed046121ed8 skipped: already exists   Copying blob 4340e7be3d7f skipped: already exists   Copying blob 80e368ef21fc skipped: already exists   Copying blob 1efc276f4ff9 skipped: already exists   Copying blob 80cb79a80bbe done   Copying config f2a976f932 done   Writing manifest to image destination Storing signatures f2a976f932ec6fe48978c1cdde2c8217a497b1f080c80e49049e02757302cf74 [zz@localhost ~]$ podman images REPOSITORY               TAG         IMAGE ID      CREATED      SIZE docker.io/library/httpd  latest      f2a976f932ec  2 weeks ago  149 MB //创建容器 [zz@localhost ~]$ podman run -dit --name b1 -p 8080:80 httpd b5cdee0cc511a7acc3e0174b3ad77c6117113c7111d0863dcd8e718a78fe6b6d [zz@localhost ~]$ podman ps -a CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS            PORTS                 NAMES b5cdee0cc511  docker.io/library/httpd:latest  httpd-foreground  7 seconds ago  Up 7 seconds ago  0.0.0.0:8080->80/tcp  b1  //root用户 [root@localhost ~]# podman images REPOSITORY               TAG         IMAGE ID      CREATED       SIZE docker.io/library/nginx  latest      605c77e624dd  7 months ago  146 MB [root@localhost ~]# podman ps -a CONTAINER ID  IMAGE                           COMMAND               CREATED      STATUS          PORTS       NAMES 230ef7f477fe  docker.io/library/nginx:latest  nginx -g daemon o...  2 hours ago  Up 2 hours ago              web 

  • 容器与root用户一起运行,则root容器中的用户实际上就是主机上的用户。
[zz@localhost ~]$ podman ps CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS            PORTS                 NAMES b5cdee0cc511  docker.io/library/httpd:latest  httpd-foreground  3 minutes ago  Up 3 minutes ago  0.0.0.0:8080->80/tcp  b1 [zz@localhost ~]$ podman exec -it b1 /bin/bash root@b5cdee0cc511:/usr/local/apache2# id uid=0(root) gid=0(root) groups=0(root) 
  • UID GID是在/etc/subuid和/etc/subgid等中用户映射中指定的第一个UID GID。
  • 如果普通用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则会看到它实际上是你的用户在主机上拥有的。

使用卷

[root@localhost ~]# su - zz [zz@localhost ~]$ pwd  /home/zz [zz@localhost ~]$ mkdir /home/zz/abc  //‘/abc:Z’默认是z指示绑定安装内容在多个容器直接共享,Z选项指示绑定安装内容是使用的且未共享 [zz@localhost ~]$ podman run -dit --name zxr -v /home/zz/abc/:/abc:Z -p 8080:80 httpd 5f8c15de22474eecb4d24e729ea907ec26ff109ac69cc09020ed8e017843de97 [zz@localhost ~]$ podman exec -it zxr /bin/bash root@5f8c15de2247:/usr/local/apache2# cd /abc/ root@5f8c15de2247:/abc# touch 123 root@5f8c15de2247:/abc# ls -l total 0 drwxr-xr-x. 2 nobody nogroup 6 Aug 16 14:44 aaa 

在主机上查看

[zz@localhost ~]$ ll abc/		//在zz用户中查看 total 0 -rw-r--r--. 1 zz zz 0 Aug 16 22:52 123  //在用户下写入文件 [zz@localhost ~]$ echo "hello world" >> abc/111 [zz@localhost ~]$ cat abc/111 hello world 

查看容器

root@5f8c15de2247:/abc# ls 111  123 root@5f8c15de2247:/abc# cat 111 hello world 

将容器中的目录和文件的属主和属组修改为zz

//只要在运行容器的时候加上一个--userns=keep-id即可。保持一直id [zz@localhost ~]$ podman rm -f -l		 5f8c15de22474eecb4d24e729ea907ec26ff109ac69cc09020ed8e017843de97 [zz@localhost ~]$ podman ps -a CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES [zz@localhost ~]$ podman run -dit --name zzz --userns=keep-id -v $(pwd)/abc:/abc:Z busybox Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf) Trying to pull docker.io/library/busybox:latest... Getting image source signatures Copying blob 50783e0dfb64 done   Copying config 7a80323521 done   Writing manifest to image destination Storing signatures 42c49ace20d71e2c2356029bef2c770279a6b35b68b69c83e6e443e9b0a0d61a [zz@localhost ~]$ podman ps  CONTAINER ID  IMAGE                             COMMAND     CREATED         STATUS             PORTS       NAMES 42c49ace20d7  docker.io/library/busybox:latest  sh          20 seconds ago  Up 20 seconds ago              zzz [zz@localhost ~]$ podman exec -it zzz /bin/sh ~ $ cd abc/ /abc $ ls -l total 4 -rw-rw-r--    1 zz       zz              12 Aug 16 14:55 111 -rw-r--r--    1 zz       zz               0 Aug 16 14:52 123 

使用普通用户映射容器端口时会报“ permission denied”的错误

[zz@localhost ~]$ podman run -dit --name xxx -p 80:80 httpd Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied 

普通用户可以映射>= 1024的端口

[zz@localhost ~]$ podman rm -f xxx 804118df04eb0e049a187288d5a74429fba36db1e8ca25dcb114ec98627690fa [zz@localhost ~]$ podman run -dit --name xxx -p 1024:80 httpd 73bb26b44db1487b0a95271fc8a833d63883c80b72b7225e432df6a4bb911b71 [zz@localhost ~]$ ss -anlt State             Recv-Q            Send-Q                       Local Address:Port                       Peer Address:Port            Process             LISTEN            0                 128                                0.0.0.0:22                              0.0.0.0:*                                   LISTEN            0                 128                                   [::]:22                                 [::]:*                                   LISTEN            0                 128                                      *:1024                                  *:*                                 

配置echo ‘net.ipv4.ip_unprivileged_port_start=80’ >> /etc/sysctl.conf后可以映射大于等于80的端口

[root@localhost ~]# vim /etc/sysctl.conf  net.ipv4.ip_unprivileged_port_start = 80			//在最后添加 [root@localhost ~]# sysctl -p   			//立即生效 net.ipv4.ip_unprivileged_port_start = 80  //为了演示效果把root用户下的80端口的容器删除 [root@localhost ~]# podman ps -a CONTAINER ID  IMAGE                           COMMAND               CREATED      STATUS          PORTS       NAMES 230ef7f477fe  docker.io/library/nginx:latest  nginx -g daemon o...  3 hours ago  Up 3 hours ago              web [root@localhost ~]# podman rm -f -l 230ef7f477fe7b5348bbef97ac6c28d3a38b2a535f5398b06b735530922d9634  //创建测试 [root@localhost ~]# podman run -dit --name xxx -p 80:80 httpd 498e966c5635f025be5e3236b8692562a65d3b547e15df8109a72f48295f2dc1