無根用戶管理podman 在允許沒有root特權的用戶運行Podman之前,管理員必須安裝或構建Podman並完成以下配置 基礎設置 cgroup V2Linux內核功能允許用戶限制普通用戶容器可以使用的資源,如果使用cgroupV2啟用了運行Podman的Linux發行版,則可能需要更改預設的OC ...
無根用戶管理podman
目錄在允許沒有root特權的用戶運行Podman之前,管理員必須安裝或構建Podman並完成以下配置
基礎設置
cgroup V2Linux內核功能允許用戶限制普通用戶容器可以使用的資源,如果使用cgroupV2啟用了運行Podman的Linux發行版,則可能需要更改預設的OCI運行時。某些較舊的版本runc不適用於cgroupV2,必須切換到備用OCI運行時crun。
[root@localhost ~]# dnf -y install crun //centos8自帶,可以直接進行安裝
[root@localhost ~]# vim /usr/share/containers/containers.conf
runtime = "crun" //取消註釋
#runtime = "runc" //註釋掉
//啟動一個容器
[root@localhost ~]# podman run -d --name web nginx
Resolving "nginx" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob b4df32aa5a72 done
Copying blob 589b7251471a done
Copying blob a0bcbecc962e done
Copying blob 186b1aaa4aa6 done
Copying blob a2abf6c4d29d done
Copying blob a9edb18cadd1 done
Copying config 605c77e624 done
Writing manifest to image destination
Storing signatures
230ef7f477fe7b5348bbef97ac6c28d3a38b2a535f5398b06b735530922d9634
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
230ef7f477fe docker.io/library/nginx:latest nginx -g daemon o... 13 seconds ago Up 13 seconds ago web
[root@localhost ~]# podman inspect web | grep -i ociruntime
"OCIRuntime": "crun",
安裝slirp4netns和fuse-overlayfs
在普通用戶環境中使用Podman時,建議使用fuse-overlayfs而不是VFS文件系統,至少需要版本0.7.6。現在新版本預設就是了
[root@localhost ~]# dnf -y install slirp4netns fuse-overlayfs
[root@localhost ~]# vim /etc/containers/storage.conf
mount_program = "/usr/bin/fuse-overlayfs" //取消註釋
subuid和 subgid配置
Podman要求運行它的用戶在/ etc / subuid和/ etc / subgid文件中列出一系列UID,shadow-utils或newuid包提供這些文件
[root@localhost ~]# yum -y install shadow-utils
//可以在/etc/ subuid和/etc/ subgid查看,每個用戶的值必須唯一且沒有任何重疊。
[[root@localhost ~]# useradd zz
[root@localhost ~]# cat /etc/subuid
zz:100000:65536
[root@localhost ~]# cat /etc/subgid
zz:100000:65536
[root@localhost ~]#
//可以在/etc/subuid和/etc/subgid查看,每個用戶的值必須唯一且沒有任何重疊。
[root@localhost ~]# vim /etc/sysctl.conf
net.ipve4.ping_group_range=0 200000 //添加此行,大於100000這個就表示tom可以操作podman
這個文件的格式是 USERNAME:UID:RANGE中/etc/passwd或輸出中列出的用戶名getpwent。
- 為用戶分配的初始 UID。
- 為用戶分配的 UID 範圍的大小。
該usermod程式可用於為用戶分配 UID 和 GID,而不是直接更新文件。
[root@localhost ~]# useradd xx
[root@localhost ~]# cat /etc/subuid /etc/subgid
zz:100000:65536
xx:165536:65536
zz:100000:65536
xx:165536:65536
[root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 xx
[root@localhost ~]# cat /etc/subuid /etc/subgid
zz:100000:65536
xx:165536:65536
zz:100000:65536
xx:165536:65536
[root@localhost ~]# usermod --del-subuids 165536-231072 --del-subgids 165536-231072 xx //--del 刪除
[root@localhost ~]# cat /etc/subuid /etc/subgid
zz:100000:65536
zz:100000:65536
[root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 xx //--add 添加
[root@localhost ~]# cat /etc/subuid /etc/subgid
zz:100000:65536
xx:200000:1001
zz:100000:65536
xx:200000:1001
用戶配置文件
三個主要的配置文件是container.conf、storage.conf和registries.conf。用戶可以根據需要修改這些文件。
container.conf(容器配置文件)
//查看用戶配置文件方法
[root@localhost ~]# cat /usr/share/containers/containers.conf //常用
//方法
[root@localhost ~]# cat /etc/containers/containers.conf
[root@localhost ~]# cat ~/.config/containers/containers.conf //優先順序最高
如果它們以該順序存在。每個文件都可以覆蓋特定欄位的前一個文件。
storage.conf(存儲配文件)
1./etc/containers/storage.conf
2.$HOME/.config/containers/storage.conf
在普通用戶中/etc/containers/storage.conf的一些欄位將被忽略
[root@localhost ~]# vim /etc/containers/storage.conf
//查找driver
driver = "overlay" //此處為overlay
//查找mount_program
mount_program = "/usr/bin/fuse-overlayfs" //取消註釋
[root@localhost ~]# vim /etc/sysctl.conf //如果版本為8以下,則需要做,設置無根用戶數量
user.max_user_namepaces=15000 //添加
在普通用戶中這襲人預設欄位
[root@localhost ~]# vim /etc/containers/storage.conf
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"
registries.conf(倉庫配置文件)
配置按此順序讀入,這些文件不是預設創建的,可以從/usr/share/containers或複製文件/etc/containers併進行修改。
1./etc/containers/registries.conf
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf
授權文件
此文件裡面寫了docker賬號的密碼,以加密方式顯示
root用戶和普通用戶的docker賬號和密碼授權是相同的
[root@localhost ~]# podman login
Username: xinruizhong
Password:
Login Succeeded!
[root@localhost ~]# find / -name auth.json
/run/user/0/containers/auth.json
[root@localhost ~]# cat /run/user/0/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "eGlucnVpemhvbmc6WnoyMDAyMDYyNS4u"
}
}
}
[root@localhost ~]# su - zz
[zz@localhost ~]$ podman login
Username: xinruizhong
Password:
Login Succeeded!
[zz@localhost ~]$ find / -name auth.json
/tmp/podman-run-1000/containers/auth.json
[zz@localhost ~]$ cat /tmp/podman-run-1000/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "eGlucnVpemhvbmc6WnoyMDAyMDYyNS4u"
}
}
}
[zz@localhost ~]$ exit
logout
[root@localhost ~]#
普通用戶是無法看見root用戶的鏡像和容器
//root用戶
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 605c77e624dd 7 months ago 146 MB
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
230ef7f477fe docker.io/library/nginx:latest nginx -g daemon o... 2 hours ago Up 2 hours ago web
//普通用戶
[root@localhost ~]# su - zz
Last login: Tue Aug 16 22:19:02 CST 2022 on pts/2
[zz@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[zz@localhost ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
root用戶也是無法看見普通用戶的鏡像和容器的
//普通用戶
[zz@localhost ~]$ podman pull httpd //拉取鏡像
Resolving "httpd" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob aed046121ed8 skipped: already exists
Copying blob 4340e7be3d7f skipped: already exists
Copying blob 80e368ef21fc skipped: already exists
Copying blob 1efc276f4ff9 skipped: already exists
Copying blob 80cb79a80bbe done
Copying config f2a976f932 done
Writing manifest to image destination
Storing signatures
f2a976f932ec6fe48978c1cdde2c8217a497b1f080c80e49049e02757302cf74
[zz@localhost ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest f2a976f932ec 2 weeks ago 149 MB
//創建容器
[zz@localhost ~]$ podman run -dit --name b1 -p 8080:80 httpd
b5cdee0cc511a7acc3e0174b3ad77c6117113c7111d0863dcd8e718a78fe6b6d
[zz@localhost ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b5cdee0cc511 docker.io/library/httpd:latest httpd-foreground 7 seconds ago Up 7 seconds ago 0.0.0.0:8080->80/tcp b1
//root用戶
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 605c77e624dd 7 months ago 146 MB
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
230ef7f477fe docker.io/library/nginx:latest nginx -g daemon o... 2 hours ago Up 2 hours ago web
捲
- 容器與root用戶一起運行,則root容器中的用戶實際上就是主機上的用戶。
[zz@localhost ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b5cdee0cc511 docker.io/library/httpd:latest httpd-foreground 3 minutes ago Up 3 minutes ago 0.0.0.0:8080->80/tcp b1
[zz@localhost ~]$ podman exec -it b1 /bin/bash
root@b5cdee0cc511:/usr/local/apache2# id
uid=0(root) gid=0(root) groups=0(root)
- UID GID是在/etc/subuid和/etc/subgid等中用戶映射中指定的第一個UID GID。
- 如果普通用戶的身份從主機目錄掛載到容器中,併在該目錄中以根用戶身份創建文件,則會看到它實際上是你的用戶在主機上擁有的。
使用捲
[root@localhost ~]# su - zz
[zz@localhost ~]$ pwd
/home/zz
[zz@localhost ~]$ mkdir /home/zz/abc
//‘/abc:Z’預設是z指示綁定安裝內容在多個容器直接共用,Z選項指示綁定安裝內容是使用的且未共用
[zz@localhost ~]$ podman run -dit --name zxr -v /home/zz/abc/:/abc:Z -p 8080:80 httpd
5f8c15de22474eecb4d24e729ea907ec26ff109ac69cc09020ed8e017843de97
[zz@localhost ~]$ podman exec -it zxr /bin/bash
root@5f8c15de2247:/usr/local/apache2# cd /abc/
root@5f8c15de2247:/abc# touch 123
root@5f8c15de2247:/abc# ls -l
total 0
drwxr-xr-x. 2 nobody nogroup 6 Aug 16 14:44 aaa
在主機上查看
[zz@localhost ~]$ ll abc/ //在zz用戶中查看
total 0
-rw-r--r--. 1 zz zz 0 Aug 16 22:52 123
//在用戶下寫入文件
[zz@localhost ~]$ echo "hello world" >> abc/111
[zz@localhost ~]$ cat abc/111
hello world
查看容器
root@5f8c15de2247:/abc# ls
111 123
root@5f8c15de2247:/abc# cat 111
hello world
將容器中的目錄和文件的屬主和屬組修改為zz
//只要在運行容器的時候加上一個--userns=keep-id即可。保持一直id
[zz@localhost ~]$ podman rm -f -l
5f8c15de22474eecb4d24e729ea907ec26ff109ac69cc09020ed8e017843de97
[zz@localhost ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[zz@localhost ~]$ podman run -dit --name zzz --userns=keep-id -v $(pwd)/abc:/abc:Z busybox
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 50783e0dfb64 done
Copying config 7a80323521 done
Writing manifest to image destination
Storing signatures
42c49ace20d71e2c2356029bef2c770279a6b35b68b69c83e6e443e9b0a0d61a
[zz@localhost ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
42c49ace20d7 docker.io/library/busybox:latest sh 20 seconds ago Up 20 seconds ago zzz
[zz@localhost ~]$ podman exec -it zzz /bin/sh
~ $ cd abc/
/abc $ ls -l
total 4
-rw-rw-r-- 1 zz zz 12 Aug 16 14:55 111
-rw-r--r-- 1 zz zz 0 Aug 16 14:52 123
使用普通用戶映射容器埠時會報“ permission denied”的錯誤
[zz@localhost ~]$ podman run -dit --name xxx -p 80:80 httpd
Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied
普通用戶可以映射>= 1024的埠
[zz@localhost ~]$ podman rm -f xxx
804118df04eb0e049a187288d5a74429fba36db1e8ca25dcb114ec98627690fa
[zz@localhost ~]$ podman run -dit --name xxx -p 1024:80 httpd
73bb26b44db1487b0a95271fc8a833d63883c80b72b7225e432df6a4bb911b71
[zz@localhost ~]$ ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:1024 *:*
配置echo ‘net.ipv4.ip_unprivileged_port_start=80’ >> /etc/sysctl.conf後可以映射大於等於80的埠
[root@localhost ~]# vim /etc/sysctl.conf
net.ipv4.ip_unprivileged_port_start = 80 //在最後添加
[root@localhost ~]# sysctl -p //立即生效
net.ipv4.ip_unprivileged_port_start = 80
//為了演示效果把root用戶下的80埠的容器刪除
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
230ef7f477fe docker.io/library/nginx:latest nginx -g daemon o... 3 hours ago Up 3 hours ago web
[root@localhost ~]# podman rm -f -l
230ef7f477fe7b5348bbef97ac6c28d3a38b2a535f5398b06b735530922d9634
//創建測試
[root@localhost ~]# podman run -dit --name xxx -p 80:80 httpd
498e966c5635f025be5e3236b8692562a65d3b547e15df8109a72f48295f2dc1
