podman的基本設置和使用 運行httpd示例容器 [root@localhost ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d ...
podman的基本設置和使用
目錄
運行httpd示例容器
[root@localhost ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
> -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
> -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
> registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob aaf5ad2e1aa3 done
Copying blob d77ff9f653ce done
Copying blob 7692efc5f81c done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
995f7e14f01208bf6249253bb0e0d699790fb884c3c5974f1a35da1b486253f3
[root@localhost ~]# rpm -qa |grep slirp4netns
slirp4netns-1.1.8-1.module_el8.5.0+890+6b136101.x86_64
//由於容器在分離模式下運行(在命令中由 -d 表示),因此 Podman 將在運行後列印容器 ID。請註意,我們使用埠轉發來訪問 HTTP 伺服器。要成功運行,至少需要 slirp4netns v0.3.0。
列出和檢查正在運行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
995f7e14f012 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 3 minutes ago Up 3 minutes ago 0.0.0.0:8080->8080/tcp vibrant_cohen
[root@localhost ~]# podman inspect -l |grep -i ipaddress
"IPAddress": "10.88.0.7",
"IPAddress": "10.88.0.7",
//檢查正在運行的容器您可以“檢查”正在運行的容器,以獲取有關其自身的元數據和詳細信息。我們甚至可以使用 inspect 子命令來查看分配給容器的 IP 地址。由於容器在無根模式下運行,因此不會分配 IP 地址,並且該值將在檢查的輸出中列為“無”。
註意:-l 是最新容器的便利參數。還可以使用容器的 ID 而不是 -l。
測試httpd伺服器
[root@localhost ~]# curl 10.88.0.7:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test Page for the Apache HTTP Server on Fedora</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
/*<
查看容器日誌
您可以使用 Podman 查看容器的日誌:
[root@localhost ~]# podman logs -l
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.7. Set the 'ServerName' directive globally to suppress this message
[Tue Aug 16 03:20:25.159854 2022] [ssl:warn] [pid 1:tid 139622578482560] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1b FIPS 26 Feb 2019, version currently loaded is OpenSSL 1.1.1 FIPS 11 Sep 2018) - may result in undefined or erroneous behavior
[Tue Aug 16 03:20:25.160887 2022] [ssl:warn] [pid 1:tid 139622578482560] AH01909: 10.88.0.7:8443:0 server certificate does NOT include an ID which matches the server name
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.7. Set the 'ServerName' directive globally to suppress this message
[Tue Aug 16 03:20:25.225009 2022] [ssl:warn] [pid 1:tid 139622578482560] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1b FIPS 26 Feb 2019, version currently loaded is OpenSSL 1.1.1 FIPS 11 Sep 2018) - may result in undefined or erroneous behavior
[Tue Aug 16 03:20:25.226280 2022] [ssl:warn] [pid 1:tid 139622578482560] AH01909: 10.88.0.7:8443:0 server certificate does NOT include an ID which matches the server name
....
//-l表示最新最近的意思
查看容器的進程
您可以使用top觀察容器中的 httpd pid
[root@localhost ~]# podman top -l
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
default 1 0 0.000 41m9.026176952s pts/0 0s httpd -D FOREGROUND
default 23 1 0.000 41m8.026462172s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 24 1 0.000 41m8.026575142s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 25 1 0.000 41m8.026627539s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 26 1 0.000 41m8.026672671s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 27 1 0.000 41m8.026720262s pts/0 0s httpd -D FOREGROUND
default 28 1 0.041 41m8.026771455s pts/0 1s httpd -D FOREGROUND
default 30 1 0.041 41m8.026815945s pts/0 1s httpd -D FOREGROUND
default 34 1 0.041 41m8.026862168s pts/0 1s httpd -D FOREGROUND
對容器執行檢查操作
檢查點容器會停止容器,同時將容器中所有進程的狀態寫入磁碟。有了這個,容器可以稍後恢復併在與檢查點完全相同的時間點繼續運行。此功能需要在系統上安裝 CRIU 3.11 或更高版本。此功能不支持為無根;因此,如果您想嘗試它,您需要以 root 身份重新創建您的容器,使用相同的命令但使用 sudo
[root@localhost ~]# podman container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
995f7e14f012 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 44 minutes ago Up 44 minutes ago 0.0.0.0:8080->8080/tcp vibrant_cohen
[root@localhost ~]# podman container checkpoint vibrant_cohen
995f7e14f01208bf6249253bb0e0d699790fb884c3c5974f1a35da1b486253f3
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
995f7e14f012 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 46 minutes ago Exited (0) About a minute ago 0.0.0.0:8080->8080/tcp vibrant_cohen
還原容器
還原容器僅適用於以前檢查點的容器。還原的容器將繼續在檢查點操作的同一時間點運行。要恢復容器
[root@localhost ~]# podman container restore vibrant_cohen
995f7e14f01208bf6249253bb0e0d699790fb884c3c5974f1a35da1b486253f3
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
995f7e14f012 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 48 minutes ago Up 48 minutes ago 0.0.0.0:8080->8080/tcp vibrant_cohen
還原後,然後容器將會和檢查點之前一樣再次應答請求
[root@localhost ~]# curl 10.88.0.7:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test Page for the Apache HTTP Server on Fedora</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
/*<![CDATA[*/
body {
....
遷移容器
要將容器從一個主機實時遷移到另一個主機,容器將在遷移的源系統上執行檢查點操作,傳輸到目標系統,然後在目標系統上還原。傳輸檢查點時,可以指定輸出文件
在源系統上面
[root@localhost ~]# podman container checkpoint vibrant_cohen -e /tmp/checkpoint.tar.gz
995f7e14f01208bf6249253bb0e0d699790fb884c3c5974f1a35da1b486253f3
//傳輸到檢查點上
[root@localhost ~]# scp /tmp/checkpoint.tar.gz 192.168.222.251:/tmp
The authenticity of host '192.168.222.251 (192.168.222.251)' can't be established.
ECDSA key fingerprint is SHA256:y11UDaNXs3AnvVUnZQfAim2VHAplF09YOvQp2NemHyk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.222.251' (ECDSA) to the list of known hosts.
[email protected]'s password:
checkpoint.tar.gz 100% 6761KB 128.9MB/s 00:00
在目標系統上面
[root@localhost ~]# podman container restore -i /tmp/checkpoint.tar.gz
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob aaf5ad2e1aa3 done
Copying blob 7692efc5f81c done
Copying blob d77ff9f653ce done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
995f7e14f01208bf6249253bb0e0d699790fb884c3c5974f1a35da1b486253f3
用目標系統的ip進行訪問:
停止容器
停止httpd容器
[root@localhost ~]# podman stop -l
995f7e14f01208bf6249253bb0e0d699790fb884c3c5974f1a35da1b486253f3
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
995f7e14f012 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... About an hour ago Exited (0) 10 minutes ago 0.0.0.0:8080->8080/tcp vibrant_cohen
移除容器
刪除httpd容器
[root@localhost ~]# podman rm -l
995f7e14f01208bf6249253bb0e0d699790fb884c3c5974f1a35da1b486253f3
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
podman簽名和分發容器並推送到harbor倉庫中
對容器映像進行簽名源於僅信任專用映像提供程式的動機,以緩解中間人 (MITM) 攻擊或對容器註冊表的攻擊。對圖像進行簽名的一種方法是使用 GNU 隱私衛士 (GPG) 密鑰。此技術通常與任何符合 OCI 的容器註冊表(如 Quay.io)相容。值得一提的是,OpenShift 集成容器註冊表開箱即用地支持這種簽名機制,這使得單獨的簽名存儲變得不必要。
從技術角度來看,我們可以在將映像推送到遠程註冊表之前利用 Podman 對映像進行簽名。之後,所有運行Podman的系統都必須配置為從遠程伺服器檢索簽名,遠程伺服器可以是任何簡單的Web伺服器。這意味著在映像拉取操作期間,每個未簽名的映像都將被拒絕。但是這是如何工作的呢?
首先,我們必須創建一個GPG密鑰對或選擇一個本地可用的密鑰對。要生成新的GPG密鑰,只需運行並按照互動式對話框進行操作即可。現在我們應該能夠驗證密鑰是否在本地存在:
[root@localhost ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: lvnanhai //輸入名字(最少五位)
Email address: [email protected] //輸入郵箱
Comment: lnh //評論
You selected this USER-ID:
"lvnanhai (lnh) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o(小寫o)
//設置密碼需要超過8位,並需要帶特殊符號,輸入兩遍
┌─┐
│ Please enter the passphrase to │
│ protect your new key │
│ │
│ Passphrase: ***********
└─┘ <OK> <Cancel> │
┌─┐
│ Please re-enter this passphrase │
│ │
│ Passphrase: ***********
│ │
└─┘ <OK> <Cancel> │
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 42BD2F6C7BE222CF marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/564E291CE58E890315892F7942BD2F6C7BE222CF.rev'
public and secret key created and signed.
pub rsa2048 2022-08-16 [SC]
564E291CE58E890315892F7942BD2F6C7BE222CF
uid lvnanhai (lnh) <[email protected]>
sub rsa2048 2022-08-16 [E]
查看密鑰
[root@localhost ~]# gpg --list-key lvnanhai
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub rsa2048 2022-08-16 [SC]
564E291CE58E890315892F7942BD2F6C7BE222CF
uid [ultimate] lvnanhai (lnh) <[email protected]>
sub rsa2048 2022-08-16 [E]
在另外一臺機子上面提前部署好harbor詳細操作可以看
harbor部署
部署完倉庫後想要在podman上面使用,需要進行以下操作
編輯/etc/containers/registries.conf文件:
[root@localhost ~]# vim /etc/containers/registries.conf
[[registry]]
location = "harbor.example.com" //部署了harbor的主機名
insecure = true
編輯/etc/hosts文件進行ip映射:
[root@localhost ~]# vim /etc/hosts
192.168.222.251 harbor.example.com //部署了harbor的ip和主機名
登錄harbor倉庫
[root@localhost ~]# podman login harbor.example.com
Username: admin
Password:
Login Succeeded!
拉取一個標準鏡像
[root@localhost ~]# podman pull docker://docker.io/alpine:latest
//此處指定了官方網站
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 59bf1c3509f3 done
Copying config c059bfaa84 done
Writing manifest to image destination
Storing signatures
c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
標記鏡像並指向我們本地註冊表
[root@localhost ~]# podman tag docker.io/library/alpine harbor.example.com/library/alpine
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
harbor.example.com/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
通過一個命令推送鏡像並對其進行簽名。但是要讓它工作,我們必須在以下位置修改我們的系統範圍的註冊表配置 /etc/containers/registries.d/default.yaml
[root@localhost ~]# vim /etc/containers/registries.d/default.yaml
# sigstore: file:///var/lib/containers/sigstore
sigstore-staging: file:///var/lib/containers/sigstore
sigstore: http://harbor.example.com //添加的
推送並簽署鏡像
[root@localhost ~]# podman push --tls-verify=false --sign-by lvnanhai harbor.example.com/library/alpine
Getting image source signatures
Copying blob 8d3ac3489996 done
┌─┐
│ Please enter the passphrase to unlock the OpenPGP secret key: │
│ "lvnanhai (lnh) <[email protected]>" │
│ 2048-bit RSA key, ID CD588E57011BF668, │
│ created 2022-08-16. │
│ │
│ │
│ Passphrase: *********** //輸入之前自己設置的密碼
│ │
│ <OK> <Cancel> │
└─┘
Copying config c059bfaa84 done
Writing manifest to image destination
Signing manifest
Storing signatures
查看推送
[root@localhost ~]# ll /var/lib/containers/sigstore/library/
total 0
drwxr-xr-x. 2 root root 25 Aug 16 18:34 'alpine@sha256=964248be4bb8e3052c8b411271126f70c5c5015df31e014bfc41fad50edf78d8'
退出登錄
[root@localhost ~]# podman logout harbor.example.com
Removed login credentials for harbor.example.com
