podman基礎用法 podman常用命令 查看版本 [root@localhost ~]# podman -v podman version 3.3.1 [root@localhost ~]# podman version Version: 3.3.1 API Version: 3.3.1 Go ...
podman基礎用法
目錄podman常用命令
查看版本
[root@localhost ~]# podman -v
podman version 3.3.1
[root@localhost ~]# podman version
Version: 3.3.1
API Version: 3.3.1
Go Version: go1.16.7
Built: Wed Nov 10 05:23:56 2021
OS/Arch: linux/amd64
[root@localhost ~]#
查看詳細信息
[root@localhost ~]# podman info
host:
arch: amd64
buildahVersion: 1.22.3
cgroupManager: systemd
cgroupVersion: v1
conmon:
package: conmon-2.0.29-1.module_el8.5.0+890+6b136101.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.0.29, commit: 84384406047fae626269133e1951c4b92eed7603'
cpus: 4
distribution:
distribution: '"centos"'
version: "8"
-----------------省略--------------------
imageStore:
number: 1
runRoot: /run/containers/storage
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 3.3.1
Built: 1636493036
BuiltTime: Wed Nov 10 05:23:56 2021
GitCommit: ""
GoVersion: go1.16.7
OsArch: linux/amd64
Version: 3.3.1
搜索鏡像
[root@localhost ~]# podman search httpd
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/httpd The Apache HTTP Server Project 4116 [OK]
docker.io docker.io/clearlinux/httpd httpd HyperText Transfer Protocol (HTTP) ser... 2
docker.io docker.io/centos/httpd-24-centos7 Platform for running Apache httpd 2.4 or bui... 44
docker.io docker.io/manageiq/httpd Container with httpd, built on CentOS for Ma... 1 [OK]
拉取鏡像
[root@localhost ~]# podman pull httpd
Resolving "httpd" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob dcc4698797c8 done
Copying blob 41c22baa66ec done
Copying blob d982c879c57e done
Copying blob a2abf6c4d29d done
Copying blob 67283bbdd4a0 done
Copying config dabbfbe0c5 done
Writing manifest to image destination
Storing signatures
dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34
列出鏡像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
[root@localhost ~]# podman image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
刪除鏡像
[root@localhost ~]# podman rmi httpd
Untagged: docker.io/library/httpd:latest
Deleted: dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@localhost ~]# podman image rm httpd
Untagged: docker.io/library/httpd:latest
Deleted: dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@localhost ~]# podman rmi -f httpd
Untagged: docker.io/library/httpd:latest
Deleted: dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
導出鏡像
[root@localhost ~]# podman image save httpd > httod.tar
[root@localhost ~]# ls
anaconda-ks.cfg httod.tar
導入鏡像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
[root@localhost ~]# podman rmi httpd
Untagged: docker.io/library/httpd:latest
Deleted: dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@localhost ~]# podman image load < httod.tar
Getting image source signatures
Copying blob deefaa620a71 done
Copying blob 1da636a1aa95 done
Copying blob 2edcec3590a4 done
Copying blob 15e4bf5d0804 done
Copying blob 9cff3206f9a6 done
Copying config dabbfbe0c5 done
Writing manifest to image destination
Storing signatures
Loaded image(s): docker.io/library/httpd:latest
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
創建容器
//podman create 創建容器
[root@localhost ~]# podman create httpd //創建但不啟動容器
5d0bd832c2d6477ba535819abc1c4072ce17fa4feab015b4e92c72c9fb053831
創建並啟動容器
//podman run 創建一個運行的容器
[root@localhost ~]# podman run -it --name web httpd /bin/bash
root@9868d220012a:~#
--name 容器名 //指定容器名
--label 標記名 //加標記方便查找
-it //讓容器的輸入保持打開狀態,並分配終端
-c //不進行登錄執行命令
-d //將容器放入後臺進行執行
-v //可以創建多個數據捲也可掛載到宿主機的目錄,如果本地沒有目錄,則自動生成一個目錄
//掛載方法:宿主機目錄:docker數據捲
-p //小寫p映射埠 宿主機端:容器埠
-P //大寫P發佈所有公開的埠(隨機映射埠號)
--volumes-from //容器和容器之間建立聯繫
----restart always //永久開啟容器,服務重啟後容器也會啟動,不會關閉
--rm //一次性容器,退出後直接刪除
列出容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
//-a 查看全部容器,包含未啟動的容器
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5d0bd832c2d6 docker.io/library/httpd:latest httpd-foreground 2 minutes ago Created friendly_ritchie
啟動一個或多個容器
[root@localhost ~]# podman start web
web
停止一個或多個容器
[root@localhost ~]# podman stop web
web
重啟容器
[root@localhost ~]# podman restart web
1a779a889fd2d0758f1b1672a9142358153327f9ec00765e62641ce0fee79497
連接到運行的容器
[root@localhost ~]# podman attach web //退出會關閉
root@1a779a889fd2# exit
在正在運行的容器中運行命令
[root@localhost ~]# podman exec -it web /bin/sh //退出不會停止
# ls
bin build cgi-bin conf error htdocs icons include logs modules
# exit
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0118e5cab030 docker.io/library/httpd:latest /bin/bash 4 minutes ago Up 54 seconds ago 0.0.0.0:80->80/tcp web
刪除容器
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5d0bd832c2d6 docker.io/library/httpd:latest httpd-foreground 2 minutes ago Created friendly_ritchie
[root@localhost ~]# podman rm 5d0bd832c2d6
5d0bd832c2d6477ba535819abc1c4072ce17fa4feab015b4e92c72c9fb053831
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
391246a3e97d docker.io/library/httpd:latest httpd-foreground 12 seconds ago Created condescending_cartwright
[root@localhost ~]# podman rm -f 391246a3e97d //-f 強制刪除
391246a3e97d071e4da2ac4dbe7b4414e99ac840edc67adaf1c7d9c04f5c9abf
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
查看容器日誌
[root@localhost ~]# docker logs web
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[Fri Aug 05 15:17:38.444681 2022] [mpm_event:notice] [pid 1:tid 139833106722112] AH00489: Apache/2.4.52 (Unix) configured -- resuming normal operations
幹掉運行中的容器
[root@localhost ~]# docker kill web //kill強制關閉
web
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9fdaf3c409da httpd "httpd-foreground" 6 minutes ago Exited (137) 4 seconds ago web
顯示容器或鏡像的配置
[root@localhost ~]# podman inspect httpd
[
{
"Id": "dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34",
"Digest": "sha256:0954cc1af252d824860b2c5dc0a10720af2b7a3d3435581ca788dff8480c7b32",
"RepoTags": [
"docker.io/library/httpd:latest"
],
"RepoDigests": [
"docker.io/library/httpd@sha256:0954cc1af252d824860b2c5dc0a10720af2b7a3d3435581ca788dff8480c7b32",
"docker.io/library/httpd@sha256:57c1e4ff150e2782a25c8cebb80b574f81f06b74944caf972f27e21b76074194"
]
登錄鏡像倉庫
[root@localhost ~]# podman login docker.io
Username: xinruizhong
Password:
Login Succeeded!
登出鏡像倉庫
[root@localhost ~]# podman logout docker.io
Removed login credentials for docker.io
顯示指定鏡像的歷史記錄
[root@localhost ~]# podman image history httpd
ID CREATED CREATED BY SIZE COMMENT
dabbfbe0c57b 7 months ago /bin/sh -c #(nop) CMD ["httpd-foreground"] 0 B
<missing> 7 months ago /bin/sh -c #(nop) EXPOSE 80 0 B
<missing> 7 months ago /bin/sh -c #(nop) COPY file:c432ff61c4993e... 3.58 kB
<missing> 7 months ago /bin/sh -c #(nop) STOPSIGNAL SIGWINCH 0 B
<missing> 7 months ago /bin/sh -c set -eux; savedAptMark="$(apt... 61.1 MB
列出埠映射或容器的特定映射
[root@localhost ~]# podman port web
80/tcp -> 0.0.0.0:80
重命名現有的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7403c4f042b4 docker.io/library/httpd:latest /bin/sh 2 minutes ago Up 2 minutes ago 0.0.0.0:80->80/tcp web
[root@localhost ~]# podman rename web httpd
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7403c4f042b4 docker.io/library/httpd:latest /bin/sh 3 minutes ago Up 2 minutes ago 0.0.0.0:80->80/tcp httpd
顯示一個容器的運行進程
[root@localhost ~]# podman top web
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 5m56.414637232s ? 0s httpd -DFOREGROUND
www-data 8 1 0.000 5m55.414828093s ? 0s httpd -DFOREGROUND
www-data 9 1 0.000 5m55.414853952s ? 0s httpd -DFOREGROUND
www-data 10 1 0.000 5m55.414877937s ? 0s httpd -DFOREGROUND
給本地鏡像添加標簽
root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
[root@localhost ~]# podman tag docker.io/library/httpd docker.io/library/httpd:v0.1
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
docker.io/library/httpd v0.1 dabbfbe0c57b 7 months ago 148 MB
podman生成
[root@localhost ~]# podman generate systemd --help
Generate systemd units.
Description:
Generate systemd units for a pod or container.
The generated units can later be controlled via systemctl(1).
Usage:
podman generate systemd [options] {CONTAINER|POD}
Examples:
podman generate systemd CTR
podman generate systemd --new --time 10 CTR
podman generate systemd --files --name POD
Options:
--container-prefix string Systemd unit name prefix for containers (default "container")
-f, --files Generate .service files instead of printing to stdout
--format string Print the created units in specified format (json)
-n, --name Use container/pod names instead of IDs
--new Create a new container instead of starting an existing one
--no-header Skip header generation
--pod-prefix string Systemd unit name prefix for pods (default "pod")
--restart-policy string Systemd restart-policy (default "on-failure")
--separator string Systemd unit name separator between name/id and prefix (default "-")
-t, --time uint Stop timeout override (default 10)
//示例
[root@localhost ~]# podman generate systemd --name web --files --new
/root/container-web.service
[root@localhost ~]# cp /root/container-web.service /usr/lib/systemd/system/
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl status container-web.service
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.service; disabled; vendor preset: disabl>
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
[root@localhost ~]# systemctl enable --now container-web.service
Created symlink /etc/systemd/system/multi-user.target.wants/container-web.service → /usr/lib/systemd/system/container-web.service.
Created symlink /etc/systemd/system/default.target.wants/container-web.service → /usr/lib/systemd/system/container-web.service.
顯示容器資源使用統計的實時流
[root@localhost ~]# podman stats web
ID NAME CPU % MEM USAGE / LIMIT MEM % NET IO BLOCK IO PIDS CPU TIME AVG CPU %
1d337a97c9a0 web 0.01% 27.96MB / 3.885GB 0.72% 1.604kB / 2.205kB 8.192kB / 0B 82 74.971194ms 0.00%
卸載工作容器的根文件系統
[root@localhost ~]# podman umount web
web
[root@localhost ~]# podman exec -it web /bin/sh //卸載後無法進入容器
Error: exec failed: container_linux.go:380: starting container process caused: process_linux.go:99: starting setns process caused: fork/exec /proc/self/exe: no such file or directory: OCI runtime attempted to invoke a command that was not found
掛載工作容器的根文件系統
[root@localhost ~]# podman mount web
/var/lib/containers/storage/overlay/e190e6ad8069bc29d32418a2eeb3f9d7d4a7d831a1a36cc97ef5f5d6111b8b2b/merged
[root@localhost ~]# podman exec -it web /bin/sh
# exit
podman的基礎設置和使用
Podman 是作為 libpod 庫的一部分提供的實用程式。它可用於創建和維護容器。以下是Podman 執行一些基本命令
運行示例容器
因為容器在分離模式下運行,由命令中的-dpodman run表示,所以 Podman 將在運行後列印容器 ID。請註意,我們使用埠轉發來訪問 HTTP 伺服器。為了成功運行,至少需要 slirp4netns v0.3.0。
[root@localhost ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
-e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
-e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob d77ff9f653ce done
Copying blob aaf5ad2e1aa3 done
Copying blob 7692efc5f81c done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
364db788cd5751eb07bec9d6acabcfc5c2f4bc4f591c5e16e64d5ffb2b9aeb62
[root@localhost ~]# rpm -qa |grep slirp4netns
slirp4netns-1.1.8-1.module_el8.5.0+890+6b136101.x86_64
列出正在運行的容器
Podman ps命令用於列出創建和運行的容器。
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
364db788cd57 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 2 minutes ago Up 2 minutes ago 0.0.0.0:8080->8080/tcp festive_hermann
參數:
-a 或 --all //列出所有容器,包括未運行
-s 或 --size //查看本地機上所有運行實例的大小
-q 或 --quiet //查看容器id
檢查正在運行的容器
您可以“檢查”正在運行的容器以獲取有關其自身的元數據和詳細信息。我們甚至可以使用 inspect 子命令來查看分配給容器的 IP 地址。由於容器在無根模式下運行,因此未分配 IP 地址,並且該值將在 inspect 的輸出中列為“無”。
[root@localhost ~]# podman inspect -l |grep -i ipaddress
"IPAddress": "10.88.0.2",
"IPAddress": "10.88.0.2",
測試httpd伺服器
由於我們沒有容器的 IP 地址,我們可以使用 curl 測試宿主操作系統和容器之間的網路通信。以下命令應該顯示我們容器化 httpd 伺服器的索引頁面。
[root@localhost ~]# curl 10.88.0.2:8080 //需要跟8080埠號
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test Page for the Apache HTTP Server on Fedora</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
通過宿主機加上映射出來的埠進行訪問
查看容器的日誌
您也可以使用 Podman 查看容器的日誌:
[root@localhost ~]# podman logs -l
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.2. Set the 'ServerName' directive globally to suppress this message
[Mon Aug 15 15:20:46.005433 2022] [ssl:warn] [pid 1:tid 139972014361984] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1b FIPS 26 Feb 2019, version currently loaded is OpenSSL 1.1.1 FIPS 11 Sep 2018) - may result in undefined or erroneous behavior
[Mon Aug 15 15:20:46.006165 2022] [ssl:warn] [pid 1:tid 139972014361984] AH01909: 10.88.0.2:8443:0 server certificate does NOT include an ID which matches the server name
查看容器進程pid
您可以使用top觀察容器中的 httpd pid 。
[root@localhost ~]# podman top -l
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
default 1 0 0.000 9m46.752864551s pts/0 0s httpd -D FOREGROUND
default 23 1 0.000 9m46.753000255s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 24 1 0.000 9m46.753028749s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 25 1 0.000 9m46.753057272s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 26 1 0.000 9m46.753080013s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 27 1 0.000 9m46.753102749s pts/0 0s httpd -D FOREGROUND
default 28 1 0.000 9m46.753125034s pts/0 0s httpd -D FOREGROUND
default 32 1 0.000 9m46.753148102s pts/0 0s httpd -D FOREGROUND
default 47 1 0.000 9m46.753176176s pts/0 0s httpd -D FOREGROUND
對容器執行檢查操作
檢查點容器會停止容器,同時將容器中所有進程的狀態寫入磁碟。有了這個,容器可以稍後恢復併在與檢查點完全相同的時間點繼續運行。此功能需要在系統上安裝 CRIU 3.11 或更高版本。此功能不支持為無根;因此,如果您想嘗試它,您需要以 root 身份重新創建您的容器,使用相同的命令但使用 sudo。
[root@localhost ~]# podman container checkpoint festive_hermann
364db788cd5751eb07bec9d6acabcfc5c2f4bc4f591c5e16e64d5ffb2b9aeb62
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
364db788cd57 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 20 minutes ago Exited (0) 8 seconds ago 0.0.0.0:8080->8080/tcp festive_hermann
還原容器
還原容器僅適用於以前檢查點的容器。還原的容器將繼續在檢查點操作的同一時間點運行。要恢復容器
[root@localhost ~]# podman container restore festive_hermann
364db788cd5751eb07bec9d6acabcfc5c2f4bc4f591c5e16e64d5ffb2b9aeb62
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
364db788cd57 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 21 minutes ago Up 21 minutes ago 0.0.0.0:8080->8080/tcp festive_hermann
還原後,然後容器將像檢查點之前一樣再次應答請求
[root@localhost ~]# curl 10.88.0.2:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test Page for the Apache HTTP Server on Fedora</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
遷移容器
要將容器從一個主機實時遷移到另一個主機,容器將在遷移的源系統上執行檢查點操作,傳輸到目標系統,然後在目標系統上還原。傳輸檢查點時,可以指定輸出文件。
在源系統上:
[root@localhost ~]# podman container checkpoint festive_hermann -e /tmp/checkpoint.tar.gz
364db788cd5751eb07bec9d6acabcfc5c2f4bc4f591c5e16e64d5ffb2b9aeb62
//傳輸到檢查點上
[root@localhost ~]# scp /tmp/checkpoint.tar.gz 192.168.111.135:/tmp
The authenticity of host '192.168.111.135 (192.168.111.135)' can't be established.
ECDSA key fingerprint is SHA256:AneDLcALQuLH7WhrvDCtu+7mdCXjrXa87i7CQ+01ntk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.111.135' (ECDSA) to the list of known hosts.
[email protected]'s password:
checkpoint.tar.gz 100% 4307KB 58.9MB/s 00:00
在目標容器上:
[root@localhost ~]# podman container restore -i /tmp/checkpoint.tar.gz
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob d77ff9f653ce done
Copying blob aaf5ad2e1aa3 done
Copying blob 7692efc5f81c done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
364db788cd5751eb07bec9d6acabcfc5c2f4bc4f591c5e16e64d5ffb2b9aeb62
訪問一下
停止容器
要停止httpd容器
[root@localhost ~]# podman stop -l
364db788cd5751eb07bec9d6acabcfc5c2f4bc4f591c5e16e64d5ffb2b9aeb62
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
364db788cd57 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... About a minute ago Exited (0) 6 seconds ago 0.0.0.0:8080->8080/tcp festive_hermann
移除容器
刪除httpd容器
[root@localhost ~]# podman rm -l
364db788cd5751eb07bec9d6acabcfc5c2f4bc4f591c5e16e64d5ffb2b9aeb62
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
podman簽名和分發容器並推送到harbor倉庫中
對容器映像進行簽名源於僅信任專用映像提供程式的動機,以緩解中間人 (MITM) 攻擊或對容器註冊表的攻擊。對圖像進行簽名的一種方法是使用 GNU 隱私衛士 (GPG) 密鑰。此技術通常與任何符合 OCI 的容器註冊表(如 Quay.io)相容。值得一提的是,OpenShift 集成容器註冊表開箱即用地支持這種簽名機制,這使得單獨的簽名存儲變得不必要。
從技術角度來看,我們可以在將映像推送到遠程註冊表之前利用 Podman 對映像進行簽名。之後,所有運行Podman的系統都必須配置為從遠程伺服器檢索簽名,遠程伺服器可以是任何簡單的Web伺服器。這意味著在映像拉取操作期間,每個未簽名的映像都將被拒絕。但是這是如何工作的呢?
首先,我們必須創建一個GPG密鑰對或選擇一個本地可用的密鑰對。要生成新的GPG密鑰,只需運行並按照互動式對話框進行操作即可。現在我們應該能夠驗證密鑰是否在本地存在:
[root@localhost ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: zhongxr
Email address: [email protected]
Comment: zxr
You selected this USER-ID:
"zhongxr (zxr) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
//設置密碼需要超過8位,並需要帶特殊符號,輸入兩遍
┌─┐
│ Please enter the passphrase to │
│ protect your new key │
│ │
│ Passphrase: ***********
└─┘ <OK> <Cancel> │
┌─┐
│ Please re-enter this passphrase │
│ │
│ Passphrase: ***********
│ │
└─┘ <OK> <Cancel> │
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 5DC83A553D298F98 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/FF46300F530BFC8CE64D05FF5DC83A553D298F98.rev'
public and secret key created and signed.
pub rsa2048 2022-08-15 [SC]
FF46300F530BFC8CE64D05FF5DC83A553D298F98
uid zhongxr (zxr) <[email protected]>
sub rsa2048 2022-08-15 [E]
查看密鑰
[root@localhost ~]# gpg --list-keys zhongxr
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub rsa2048 2022-08-15 [SC]
FF46300F530BFC8CE64D05FF5DC83A553D298F98
uid [ultimate] zhongxr (zxr) <[email protected]>
sub rsa2048 2022-08-15 [E]
為簽名選擇一個標準的鏡像
[root@localhost ~]# podman pull docker://docker.io/alpine:latest
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 59bf1c3509f3 done
Copying config c059bfaa84 done
Writing manifest to image destination
Storing signatures
c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
[root@localhost ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
需要部署harbor倉庫
給alpine打個標簽
[root@localhost ~]# podman tag docker.io/library/alpine 192.168.111.135/alpine:v1
[root@localhost ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
192.168.111.135/alpine v1 c059bfaa849c 8 months ago 5.87 MB
通過命令對鏡像進行簽名。我們必須在以下位置修改我們的系統範圍的註冊表配置 /etc/containers/registries.d/default.yaml
[root@localhost ~]# cd /etc/containers/
[root@localhost containers]# ls
certs.d policy.json registries.conf.d storage.conf
oci registries.conf registries.d
[root@localhost containers]# cd registries.d/
[root@localhost registries.d]# ls
default.yaml registry.access.redhat.com.yaml registry.redhat.io.yaml
[root@localhost registries.d]# vim default.yaml
default-docker:
# sigstore: file:///var/lib/containers/sigstore
sigstore: http://192.168.111.135:80 //添加
sigstore-staging: file:///var/lib/containers/sigstore
推送並簽署鏡像
[root@localhost ~]# podman push --tls-verify=false --sign-by zhongxr 192.168.111.135/alpine:v1
