podman网络和podman容器的开机自启
podman网络
rootfull和rootless容器网络之间的差异
podman容器联网的指导因素之一将是容器是否由root用户运行。这是因为非特权用户无法在主机上创建网络接口。因此,对于rootfull容器,默认网络模式是使用容器网络接口(CNI)插件,特别是桥接插件。对于rootless,默认的网络模式是slir4netns。由于权限有限,slirnetns缺少CNI组网的一些功能;例如,slirp4netns无法为容器提供可路由的IP地址。cni是容器网络接口
防火墙
防火墙的作用不会影响网络的设置和配置,但会影响这些网络上的流量。最明显的是容器主机的入站网络流量,这些流量通常通过端口映射传递到容器上。根据防火墙的实现,我们观察到防火墙端口由于运行带有端口映射的容器(例如)而自动打开。如果容器流量似乎无法正常工作,请检查防火墙并允许容器正在使用的端口号上的流量。一个常见的问题是重新加载防火墙会删除cni iptables规则,从而导致rootful容器的网络连接丢失。podman v3提供了podman network reload命令来恢复它而无需重新启动容器。
基本网络设置
大多数使用 Podman 运行的容器和 Pod 都遵循几个简单的场景。默认情况下,rootfull Podman 将创建一个桥接网络。这是 Podman 最直接和首选的网络设置。桥接网络在内部桥接网络上为容器创建一个接口,然后通过网络地址转换(NAT)连接到互联网。我们还看到用户也希望macvlan 用于联网。这macvlan插件将整个网络接口从主机转发到容器中,允许它访问主机所连接的网络。最后,无根容器的默认网络配置是 slirp4netns。slirp4netns 网络模式功能有限,但可以在没有 root 权限的用户上运行。它创建了一个从主机到容器的隧道来转发流量。
容器间通信示例
// 启动一个test容器
[root@localhost ~]# podman run -it --name test docker.io/library/busybox:latest /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 9e:79:b4:02:bc:6e brd ff:ff:ff:ff:ff:ff
inet 10.88.0.2/16 brd 10.88.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::9c79:b4ff:fe02:bc6e/64 scope link
valid_lft forever preferred_lft forever// 启动一个test1容器
Last login: Wed Dec 15 18:17:33 2021 from 192.168.200.1
[root@localhost ~]# podman run -it --name test1 docker.io/library/busybox:latest /bin/sh
/ # ping 10.88.0.2
PING 10.88.0.2 (10.88.0.2): 56 data bytes
64 bytes from 10.88.0.2: seq=0 ttl=64 time=0.064 ms
64 bytes from 10.88.0.2: seq=1 ttl=64 time=0.072 ms
64 bytes from 10.88.0.2: seq=2 ttl=64 time=0.053 ms
64 bytes from 10.88.0.2: seq=3 ttl=64 time=0.055 ms
64 bytes from 10.88.0.2: seq=4 ttl=64 time=0.067 ms
^Z[1]+ Stopped ping 10.88.0.2//每当启动一个容器就会在宿主机上启动一个veth类型的网卡
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:2d:c8:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.200.141/24 brd 192.168.200.255 scope global dynamic noprefixroute ens33
valid_lft 1215sec preferred_lft 1215sec
inet6 fe80::5027:eefc:8c9f:a575/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 5a:a0:b3:c5:a3:9c brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::58a0:b3ff:fec5:a39c/64 scope link
valid_lft forever preferred_lft forever
4: vetha26b4f36@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether 5e:79:96:43:e8:17 brd ff:ff:ff:ff:ff:ff link-netns cni-1960c697-8aa9-65b9-8127-82de4d41d869
inet6 fe80::5c79:96ff:fe43:e817/64 scope link
valid_lft forever preferred_lft forever
5: vethb37df711@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether 5a:4d:43:68:dc:ee brd ff:ff:ff:ff:ff:ff link-netns cni-02527c58-38d4-96cc-a5c8-eaa007fce05c
inet6 fe80::584d:43ff:fe68:dcee/64 scope link
valid_lft forever preferred_lft forever
// 当容器停止运行就会关闭
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
836603d32987 docker.io/library/busybox:latest /bin/sh 3 minutes ago Up 3 minutes ago test
6dcdce15b6a1 docker.io/library/busybox:latest /bin/sh About a minute ago Up About a minute ago test1
[root@localhost ~]# podman stop test1 test
test1
test
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:2d:c8:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.200.141/24 brd 192.168.200.255 scope global dynamic noprefixroute ens33
valid_lft 1132sec preferred_lft 1132sec
inet6 fe80::5027:eefc:8c9f:a575/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 5a:a0:b3:c5:a3:9c brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::58a0:b3ff:fec5:a39c/64 scope link
valid_lft forever preferred_lft forever查看防火墙规则
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination//运行一个容器进行测试,当运行一个容器之后就会自动给容器添加一个规则,并放行其端口号
[root@localhost ~]# podman run -d -p 80:80 --name web --rm docker.io/library/httpd
89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd requiring masquerade */
0 0 CNI-d83ef39c9d5296ad8fdd9da6 all -- * * 10.88.0.4 0.0.0.0/0 /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain CNI-d83ef39c9d5296ad8fdd9da6 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 10.88.0.0/16 /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */
0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */
Chain CNI-HOSTPORT-SETMARK (2 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd masquerade mark */ MARK or 0x2000
Chain CNI-HOSTPORT-MASQ (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000/0x2000
Chain CNI-HOSTPORT-DNAT (2 references)
pkts bytes target prot opt in out source destination
0 0 CNI-DN-d83ef39c9d5296ad8fdd9 tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */ multiport dports 80
Chain CNI-DN-d83ef39c9d5296ad8fdd9 (1 references)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.88.0.0/16 0.0.0.0/0 tcp dpt:80
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.88.0.4:80
[root@localhost ~]# podman inspect -l | grep -i address
"IPAddress": "10.88.0.4",
"GlobalIPv6Address": "",
"MacAddress": "be:3b:3f:d7:87:94",
"LinkLocalIPv6Address": "",
"IPAddress": "10.88.0.4",
"GlobalIPv6Address": "",
"MacAddress": "be:3b:3f:d7:87:94",
// 访问测试
[root@localhost ~]# curl 10.88.0.4
<html><body><h1>It works!</h1></body></html>//使用重启容器恢复防火墙规则
[root@localhost ~]# iptables -t nat -F //清空防火墙规则
[root@localhost ~]# iptables -t nat -nvL //已经没有80端口
[root@localhost ~]# iptables -t nat -F
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain CNI-d83ef39c9d5296ad8fdd9da6 (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-SETMARK (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-MASQ (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-DNAT (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-DN-d83ef39c9d5296ad8fdd9 (0 references)
pkts bytes target prot opt in out source destination// 重启容器
[root@localhost ~]# podman restart -l
89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 152 CNI-HOSTPORT-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd requiring masquerade */
0 0 CNI-d83ef39c9d5296ad8fdd9da6 all -- * * 10.88.0.5 0.0.0.0/0 /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain CNI-HOSTPORT-SETMARK (2 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd masquerade mark */ MARK or 0x2000
Chain CNI-HOSTPORT-MASQ (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000/0x2000
Chain CNI-HOSTPORT-DNAT (2 references)
pkts bytes target prot opt in out source destination
0 0 CNI-DN-d83ef39c9d5296ad8fdd9 tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */ multiport dports 80
Chain CNI-d83ef39c9d5296ad8fdd9da6 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 10.88.0.0/16 /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */
0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */
Chain CNI-DN-d83ef39c9d5296ad8fdd9 (1 references)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.88.0.0/16 0.0.0.0/0 tcp dpt:80
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.88.0.5:80
podman网络设置
指定网络并运行一个容器
创建podman2网络
[root@localhost ~]# podman network create podman2
/etc/cni/net.d/podman2.conflist
[root@localhost ~]#–subnet指定subnet创建网络
podman network create --sunet 网段 创建的网络名
[root@localhost ~]# podman network create --subnet 192.6.0.0/16 newnet
/etc/cni/net.d/newnet.conflist–gateway 指定网关
podman network create --subnet 网段 --gateway 网关地址 newnet1
[root@localhost ~]# podman network create --subnet 192.168.13.0/24 --gateway 192.168.13.2 newnet1
/etc/cni/net.d/newnet1.conflist–ip-range 指定ip起始地址
[root@localhost ~]# podman network create --subnet 192.168.14.0/24 --ip-range 192.168.14.13/25 newnet2
/etc/cni/net.d/newnet2.conflist
[root@localhost ~]#查看刚刚创建的网络
[root@localhost ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
884e74728f04 newnet 0.4.0 bridge,portmap,firewall,tuning
45b3499a170b newnet1 0.4.0 bridge,portmap,firewall,tuning
31213d4efd11 newnet2 0.4.0 bridge,portmap,firewall,tuning
4d24ca3baa36 podman2 0.4.0 bridge,portmap,firewall,tuning使用刚刚创建的网络,并运行一个容器
格式: podman run --name 容器名 --network 网络名称 镜像名
[root@localhost ~]# podman run -dt --name nginx2 --network podman2 nginx:latest
b926e6a2a1b16b8275fa59813d30139c03ab6678933219fd551acc7105e8c742查看改容器的网络IP
[root@localhost ~]# podman inspect nginx | grep IP
"IPAddress": "10.88.0.3",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"IPAddress": "10.88.0.3",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAMConfig": null,podman网络管理
注意:启动一个容器后,会出现cni-poman0网卡,容器启动时,默认会连接podman网络
[root@localhost ~]# ip a show cni-podman0
3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ae:fa:0b:90:77:8e brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::acfa:bff:fe90:778e/64 scope link
valid_lft forever preferred_lft forever查看容器网路
[root@localhost ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
884e74728f04 newnet 0.4.0 bridge,portmap,firewall,tuning
45b3499a170b newnet1 0.4.0 bridge,portmap,firewall,tuning
31213d4efd11 newnet2 0.4.0 bridge,portmap,firewall,tuning
4d24ca3baa36 podman2 0.4.0 bridge,portmap,firewall,tuning断开网络(disconnect)
[root@localhost ~]# podman network disconnect podman2 nginx2重启容器网络(reload)
[root@localhost ~]# podman network reload nginx2
b926e6a2a1b16b8275fa59813d30139c03ab6678933219fd551acc7105e8c742删除podman网络(rm)
[root@localhost ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
884e74728f04 newnet 0.4.0 bridge,portmap,firewall,tuning
45b3499a170b newnet1 0.4.0 bridge,portmap,firewall,tuning
31213d4efd11 newnet2 0.4.0 bridge,portmap,firewall,tuning
4d24ca3baa36 podman2 0.4.0 bridge,portmap,firewall,tuning
[root@localhost ~]# podman network rm newnet1 newnet2
newnet1
newnet2
[root@localhost ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
884e74728f04 newnet 0.4.0 bridge,portmap,firewall,tuning
4d24ca3baa36 podman2 0.4.0 bridge,portmap,firewall,tuningpodman常用命令
要更多的命令请点击这里
podman search 查找镜像
[root@podman ~]# podman search httpd --filter=is-official //指定查找官方版本的httpd
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/httpd The Apache HTTP Server Project 3794 [OK]podman pull 拉取镜像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@localhost ~]# podman pull docker.io/library/nginx
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob e5ae68f74026 skipped: already exists
Copying blob 21e0df283cd6 done
Copying blob 77700c52c969 done
Copying blob ed835de16acd done
Copying blob 44be98c0fab6 done
Copying blob 881ff011f1c9 done
Copying config f652ca386e done
Writing manifest to image destination
Storing signatures
f652ca386ed135a4cbe356333e08ef0816f81b2ac8d0619af01e2b256837ed3epodman images 显示所有镜像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 13 days ago 146 MBpodman run 运行容器
[root@localhost ~]# podman run -itd --name web01 nginx:latest
6e1d7872c5ec26863d513624d20c1adb64f85eb970fe1c5da1ebeda941eae487podman ps 列出正在运行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e1d7872c5ec docker.io/library/nginx:latest nginx -g daemon o... 51 seconds ago Up 51 seconds ago web01
// 如果添加 -a 命令,Podman 将显示所有容器(已创建、已退出、正在运行等)
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e1d7872c5ec docker.io/library/nginx:latest nginx -g daemon o... 54 seconds ago Up 53 seconds ago web01
9cffea5123c7 docker.io/library/nginx:latest nginx -g daemon o... 23 seconds ago Exited (0) 10 seconds ago web02podman inspect 查看容器详细信息
[root@localhost ~]# podman inspect web01
[
{
"Id": "6e1d7872c5ec26863d513624d20c1adb64f85eb970fe1c5da1ebeda941eae487",
"Created": "2021-12-15T18:48:21.76933645+08:00",
"Path": "/docker-entrypoint.sh",
"Args": [
"nginx",
"-g",
"daemon off;"
],
"State": {
"OciVersion": "1.0.2-dev",
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 12767,
"ConmonPid": 12756,
"ExitCode": 0,
"Error": "",
"StartedAt": "2021-12-15T18:48:22.484198349+08:00",
"FinishedAt": "0001-01-01T00:00:00Z",
"Healthcheck": {
"Status": "",
"FailingStreak": 0,
"Log": null
}
},
// -l 查看最新信息
[root@localhost ~]# podman inspect -l | grep -i ipaddress
"IPAddress": "10.88.0.2",
"IPAddress": "10.88.0.2",podman logs 查看容器日志
// -l 查看最新容器日志
[root@localhost ~]# podman logs -l
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/12/15 10:48:53 [notice] 1#1: using the "epoll" event method
2021/12/15 10:48:53 [notice] 1#1: nginx/1.21.4
2021/12/15 10:48:53 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
2021/12/15 10:48:53 [notice] 1#1: OS: Linux 4.18.0-147.el8.x86_64
2021/12/15 10:48:53 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/12/15 10:48:53 [notice] 1#1: start worker processes
2021/12/15 10:48:53 [notice] 1#1: start worker process 30
2021/12/15 10:48:53 [notice] 1#1: start worker process 31
2021/12/15 10:49:05 [notice] 1#1: signal 3 (SIGQUIT) received, shutting down
2021/12/15 10:49:05 [notice] 31#31: gracefully shutting down
2021/12/15 10:49:05 [notice] 30#30: gracefully shutting down
2021/12/15 10:49:05 [notice] 31#31: exiting
2021/12/15 10:49:05 [notice] 30#30: exiting
2021/12/15 10:49:05 [notice] 31#31: exit
2021/12/15 10:49:05 [notice] 30#30: exit
2021/12/15 10:49:05 [notice] 1#1: signal 17 (SIGCHLD) received from 30
2021/12/15 10:49:05 [notice] 1#1: worker process 30 exited with code 0
2021/12/15 10:49:05 [notice] 1#1: worker process 31 exited with code 0
2021/12/15 10:49:05 [notice] 1#1: exitpodman top 查看容器的 pids
[root@localhost ~]# podman top web01
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 5m1.739557202s pts/0 0s nginx: master process nginx -g daemon off;
nginx 30 1 0.000 5m1.739814247s pts/0 0s nginx: worker process
nginx 31 1 0.000 5m1.739913641s pts/0 0s nginx: worker process
// -l 查看最新容器
[root@localhost ~]# podman top -l
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 11.295056103s pts/0 0s nginx: master process nginx -g daemon off;
nginx 23 1 0.000 10.29518149s pts/0 0s nginx: worker process
nginx 24 1 0.000 10.295250142s pts/0 0s nginx: worker processpodman stop 停止容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e1d7872c5ec docker.io/library/nginx:latest nginx -g daemon o... 7 minutes ago Up 7 minutes ago web01
9cffea5123c7 docker.io/library/nginx:latest nginx -g daemon o... 7 minutes ago Up 4 seconds ago web02
[root@localhost ~]# podman stop web02
web02
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e1d7872c5ec docker.io/library/nginx:latest nginx -g daemon o... 8 minutes ago Up 8 minutes ago web01podman start 启动容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e1d7872c5ec docker.io/library/nginx:latest nginx -g daemon o... 9 minutes ago Up 9 minutes ago web01
[root@localhost ~]# podman start web02
web02
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e1d7872c5ec docker.io/library/nginx:latest nginx -g daemon o... 9 minutes ago Up 9 minutes ago web01
9cffea5123c7 docker.io/library/nginx:latest nginx -g daemon o... 8 minutes ago Up 3 seconds ago web02podman rm 删除容器
//-f 强制删除
[root@localhost ~]# podman rm -f web02
9cffea5123c7c977747cf770c1abe11fe302cd1fd5f8d250da5196e5ba3e7656
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e1d7872c5ec docker.io/library/nginx:latest nginx -g daemon o... 10 minutes ago Up 10 minutes ago web01podman rmi 删除镜像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest 8362f2615893 11 hours ago 148 MB
docker.io/library/busybox latest ffe9d497c324 7 days ago 1.46 MB
docker.io/library/nginx latest f652ca386ed1 13 days ago 146 MB
//-f 强制删除
[root@localhost ~]# podman rmi -f ffe9d497c324
Untagged: docker.io/library/busybox:latest
Deleted: ffe9d497c32414b1c5cdad8178a85602ee72453082da2463f1dede592ac7d5af
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest 8362f2615893 11 hours ago 148 MB
docker.io/library/nginx latest f652ca386ed1 13 days ago 146 MBpdoman容器的开机自启
使用podman generate --help查看用法
[root@podman ~]# podman generate --help
Generate structured data based on containers, pods or volumes
Description:
Generate structured data (e.g., Kubernetes YAML or systemd units) based on containers, pods or volumes.
Usage:
podman generate [command]
Available Commands:
kube Generate Kubernetes YAML from containers, pods or volumes.
systemd Generate systemd units.
使用podman generate systemd --help查看用法:
[root@podman ~]# podman generate systemd --help
Generate systemd units.
Description:
Generate systemd units for a pod or container.
The generated units can later be controlled via systemctl(1).
Usage:
podman generate systemd [options] {CONTAINER|POD}
Examples:
podman generate systemd CTR
podman generate systemd --new --time 10 CTR
podman generate systemd --files --name POD
Options:
--container-prefix string Systemd unit name prefix for containers (default "container")
-f, --files Generate .service files instead of printing to stdout
--format string Print the created units in specified format (json)
-n, --name Use container/pod names instead of IDs
--new Create a new container or pod instead of starting an existing one
--no-header Skip header generation
--pod-prefix string Systemd unit name prefix for pods (default "pod")
--restart-policy string Systemd restart-policy (default "on-failure")
--separator string Systemd unit name separator between name/id and prefix (default "-")
-t, --time uint Stop timeout override (default 10)root Podman容器服务自启动
[root@localhost ~]# podman run -tid --name web nginx
969d855df0326b8ea1efacd90e5ab2860763d950668e038fe2b410e897e25bf9
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
969d855df032 docker.io/library/nginx:latest nginx -g daemon o... 6 seconds ago Up 5 seconds ago web
[root@localhost ~]# podman generate systemd --files --name web
/root/container-web.service
[root@localhost ~]# mv container-web.service /usr/lib/systemd/system/
[root@localhost ~]# systemctl status container-web
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.ser>
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
[root@localhost ~]# systemctl enable --now container-web
Created symlink /etc/systemd/system/multi-user.target.wants/container-web.service → /usr/lib/systemd/system/container-web.service.
Created symlink /etc/systemd/system/default.target.wants/container-web.service → /usr/lib/systemd/system/container-web.service.
[root@localhost ~]# systemctl status container-web
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.ser>
Active: active (running) since Wed 2021-12-15 19:03:27 CS>
Docs: man:podman-generate-systemd(1)
Process: 14702 ExecStart=/usr/bin/podman start web (code=e>
Main PID: 14575 (conmon)
Tasks: 0 (limit: 11338)
Memory: 1.0M
CGroup: /system.slice/container-web.service
‣ 14575 /usr/bin/conmon --api-version 1 -c 969d85>
12月 15 19:03:27 localhost.localdomain systemd[1]: Starting >
12月 15 19:03:27 localhost.localdomain systemd[1]: Started P>
lines 1-13/13 (END)
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2021-12-15 19:03:27 CST; 6s ago
Docs: man:podman-generate-systemd(1)
Process: 14702 ExecStart=/usr/bin/podman start web (code=exited, status=0/SUCCESS)
Main PID: 14575 (conmon)
Tasks: 0 (limit: 11338)
Memory: 1.0M
CGroup: /system.slice/container-web.service
‣ 14575 /usr/bin/conmon --api-version 1 -c 969d855df0326b8ea1efacd90e5ab2860763d950668e038fe2b410e897e25bf9 -u 96>
12月 15 19:03:27 localhost.localdomain systemd[1]: Starting Podman container-web.service...
12月 15 19:03:27 localhost.localdomain systemd[1]: Started Podman container-web.service.普通用户设置容器开机自启
在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置
cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,必须切换到备用OCI运行时crun
[root@localhost ~]# yum -y install crun
[root@localhost ~]# vim /usr/share/containers/containers.conf
runtime = "crun" 取消#
#runtime = "runc" 注释掉
配置storage.conf文件
[root@localhost ~]# vim /etc/containers/storage.conf
mount_program = "/usr/bin/fuse-overlayfs" #取消注释
// 创建用户
[root@localhost ~]# useradd syb
[root@localhost ~]# echo "123456" |passwd --stdin syb
更改用户 syb 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@localhost ~]# ssh syb@192.168.200.141
The authenticity of host '192.168.200.141 (192.168.200.141)' can't be established.
ECDSA key fingerprint is SHA256:3aBCquRdG1LVT8X2pT/0DPh77RRE1pj0F8z33PZa1xg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.200.141' (ECDSA) to the list of known hosts.
syb@192.168.200.141's password:
#必须在家目录下创建此目录。不能跟改名字
[syb@localhost ~]$ mkdir -p ~/.config/systemd/user
[syb@localhost ~]$ cd ~/.config/systemd/user
#创建容器
[syb@localhost user]$ podman run -d --name test nginx
[syb@localhost user]$ podman generate systemd --name test --files --new
#停止容器
[syb@localhost user]$ podman stop test
test
[syb@localhost user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
#如果不是ssh登陆或重新进入linux系统的需重新加载系统服务
[syb@localhost user]$ systemctl --user daemon-reload
[syb@localhost user]$ systemctl --user enable --now container-test.service
Created symlink /home/nea/.config/systemd/user/multi-user.target.wants/container-test.service → /home/nea/.config/systemd/user/container-test.service.
Created symlink /home/nea/.config/systemd/user/default.target.wants/container-test.service → /home/nea/.config/systemd/user/container-test.service.
[syb@localhost user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2c79cfc6f4f7 docker.io/library/nginx:latest nginx -g daemon o... 6 seconds ago Up 6 seconds ago test
[syb@localhost user]$ systemctl --user status container-test.service
● container-test.service - Podman container-test.service
Loaded: loaded (/home/syb/.config/systemd/user/container-test.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-12-15 01:44:49 EST; 9min ago
Docs: man:podman-generate-systemd(1)
Process: 19217 ExecStartPre=/bin/rm -f /run/user/1001/container-test.service.ctr-id (code=exited, status=0/SUCCESS)
Main PID: 19257 (conmon)
CGroup: /user.slice/user-1001.slice/user@1001.service/container-test.service
├─19251 /usr/bin/fuse-overlayfs -o ,lowerdir=/home/nea/.local/share/containers/storage/overlay/l/5S2WLHYYVZAJ3G7TOACCLLOJ52:/home/nea/.local/share/>
├─19253 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1001/ne>
├─19257 /usr/bin/conmon --api-version 1 -c 2c79cfc6f4f71f1c4bbb69240883347d9da098ae26147c463d904fe61f75cf8b -u 2c79cfc6f4f71f1c4bbb69240883347d9da0>
├─19260 nginx: master process nginx -g daemon off;
├─19286 nginx: worker process
└─19287 nginx: worker process
lines 1-13/13 (END)podman镜像加速配置
镜像加速可以使用阿里云、清华大学、网易等多个镜像加速,这里我们使用阿里云的镜像加速。前提需要你先登录,才可以获取你的镜像加速的地址阿里云镜像加速地址清华大学镜像加速网易镜像加速
// 修改配置文件此配置是在centos8里面,跟7有点不同
[root@localhost containers]# pwd
/etc/containers
[root@localhost containers]# vim registries.conf
[registries.search] //默认是通过https去访问docker官网
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"] //只留docker.io,7版本面只有3个,8才有4个
unqualified-search-registries = ["docker.io"]
[registries.insecure] //这种方式默认是通过http去访问官网
registries = [docker.io]
[root@localhost containers]# podman pull centos //直接使用pul去拉取镜像他默认就回去docker的官方仓库去拉取。
Resolved "centos" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull quay.io/centos/centos:latest...
Getting image source signatures
Copying blob 7a0437f04f83 done
Copying config 300e315adb done
Writing manifest to image destination
Storing signatures
300e315adb2f96afe5f0b2780b87f28ae95231fe3bdd1e16b9ba606307728f55
// 这是8的配置方法,7跟8有所不同
[root@localhost containers]# vim registries.conf
35 [[registry]]
36 prefix="docker.io"
37 location="这个地方写你的镜像加速的地址,不需要httpds"
// 7的配置方法
[root@localhost containers]# vim registries.conf //就是不需要写prefix这个东西
[[docker.io]]
location="这个地方写你的镜像加速的地址,不需要httpds"
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
