RHEL8中podman容器引擎
红帽企业 Linux 8 包含 container-tools 软件包模块,它提供了一个可取代 Docker 和 Moby 的新容器引擎,称为 Podman。 container-tools 软件包还包含其他工具,如 Buildah(构建容器镜像)、Skopeo(在注册表上管理容器镜像)和 runc。与依赖守护进程来构建和运行容器的 Docker 不同,这一新工具集允许在不使用守护进程的前提下构建和运行容器。
新容器运行时工具集
- RHEL 8 将 Docker 替换为一个支持大部分 Docker 功能的新容器运行时。
- RHEL 8 的容器运行时工具集支持开放容器项目 (OCI) 标准,例如,能够重复利用第三方的容器镜像。
- 容器运行时提供无守护进程式容器引擎。这种架构不需要通过活跃的 root 特权守护进程来运行容器。用户可以在不具 root 特权的前提下运行容器。
- 此架构采用 fork-exec 模型整合 Docker 客户端-服务器模型的 audit,后者依赖于未设定的 audit UID。
- container-tools 软件包模块提供新的容器运行时工具集和引擎。
关于CRI-O和Docker对run的调用区别如下图所示,可以看到CRI-O的调用路径要短。
描述新容器运行时工具集
- podman 容器引擎具有无守护进程特点,为容器的执行提供支持。
- podman 语法与 docker 命令类似,也支持使用 Dockerfile。
- Buildah 可以构建容器镜像,既可从头开始构建,也可从 Dockerfile 构建。
- 使用 Skopeo 可以复制和检查注册表中的容器镜像。
- Skopeo 支持 Docker 和私有注册表、Atomic 注册表和本地目录,包括使用 OCI 的内容。
安装容器工具,注意观察安装的18个rpm包:
[root@localhost ~]# yum module install container-tools
从头开始创建容器,并进行配置以运行 bash。将此容器标记为 rhel-base。
从头开始创建一个新容器。挂载 working-container 容器的根文件系统。图片展示的是working-container中安装的rpm包:
[root@localhost ~]# buildah from scratchworking-container[root@localhost ~]# buildah mount working-container/var/lib/containers/storage/overlay/c9f82fa4bcbfeb25e8456eb0284231282b2011f34d1da7a0143af38182f67010/merged[root@localhost ~]# yum install --installroot /var/lib/containers/storage/overlay/c9f82fa4bcbfeb25e8456eb0284231282b2011f34d1da7a0143af38182f67010/merged bash coreutils --releasever 8 --setopt install_weak_deps=false
清理 working-container 容器上的 yum 缓存。
# yum clean all \> --installroot //var/lib/containers/storage/overlay/c9f82fa4bcbfeb25e8456eb0284231282b2011f34d1da7a0143af38182f67010/merged \> --releasever 8
配置 bash 作为要运行的第一个命令。将 working-container 容器标记为 rhel-base。将 working-container 容器标记为 rhel-base。
# buildah config --cmd /bin/bash working-container# buildah config --label name=rhel-base working-container
基于 working-container 容器,创建名为 rhel-base 的容器镜像。首先卸载 working-container 容器。
#buildah unmount working-container
基于 working-container 容器,创建 rhel-base 容器镜像。
[root@localhost ~]# buildah commit working-container rhel-baseGetting image source signaturesCopying blob ba25502a77fe doneCopying config 06a5c0b891 doneWriting manifest to image destinationStoring signatures06a5c0b89137bf5186e8a7c9f14d9eef51b77cfd420a493ac021645ac83ed75a
验证 rhel-base 容器镜像是否可用,注意观察镜像的大小。如果镜像只有几十K,那显然之前的步骤没有操作成功。
[root@localhost ~]# buildah imagesREPOSITORY TAG IMAGE ID CREATED SIZElocalhost/rhel-base latest 06a5c0b89137 33 seconds ago 303 MB
检查 rhel-base 容器镜像的规格。
[root@localhost ~]# podman inspect localhost/rhel-base[ {"Id": "06a5c0b89137bf5186e8a7c9f14d9eef51b77cfd420a493ac021645ac83ed75a","Digest": "sha256:ef4d521f8e49ff80f3f634ea05b6d201f5332ef7d3e4134f0c4b902194305d7a","RepoTags": ["localhost/rhel-base:latest"],"RepoDigests": ["localhost/rhel-base@sha256:ef4d521f8e49ff80f3f634ea05b6d201f5332ef7d3e4134f0c4b902194305d7a" ],"Parent": "","Comment": "","Created": "2020-04-01T04:14:01.539926813Z","Config": {"Cmd": ["/bin/bash" ],"Labels": {"io.buildah.version": "1.11.6","name": "rhel-base" } },"Version": "","Author": "","Architecture": "amd64","Os": "linux","Size": 303217695,"VirtualSize": 303217695,"GraphDriver": {"Name": "overlay","Data": {"UpperDir": "/var/lib/containers/storage/overlay/ba25502a77fee94d55554023f566fb4c8e1ae5a4f83d31f2f6e8993a2ecf5b9a/diff","WorkDir": "/var/lib/containers/storage/overlay/ba25502a77fee94d55554023f566fb4c8e1ae5a4f83d31f2f6e8993a2ecf5b9a/work" } },"RootFS": {"Type": "layers","Layers": ["sha256:ba25502a77fee94d55554023f566fb4c8e1ae5a4f83d31f2f6e8993a2ecf5b9a" ] },"Labels": {"io.buildah.version": "1.11.6","name": "rhel-base" },"Annotations": {},"ManifestType": "application/vnd.oci.image.manifest.v1+json","User": "","History": [ {"created": "2020-04-01T04:14:01.539926813Z","created_by": "/bin/sh" } ] }]
[
{
"Id": "06a5c0b89137bf5186e8a7c9f14d9eef51b77cfd420a493ac021645ac83ed75a",
"Digest": "sha256:ef4d521f8e49ff80f3f634ea05b6d201f5332ef7d3e4134f0c4b902194305d7a",
"RepoTags": [
"localhost/rhel-base:latest"
],
"RepoDigests": [
"localhost/rhel-base@sha256:ef4d521f8e49ff80f3f634ea05b6d201f5332ef7d3e4134f0c4b902194305d7a"
],
"Parent": "",
"Comment": "",
"Created": "2020-04-01T04:14:01.539926813Z",
"Config": {
"Cmd": [
"/bin/bash"
],
"Labels": {
"io.buildah.version": "1.11.6",
"name": "rhel-base"
}
},
"Version": "",
"Author": "",
"Architecture": "amd64",
"Os": "linux",
"Size": 303217695,
"VirtualSize": 303217695,
"GraphDriver": {
"Name": "overlay",
"Data": {
"UpperDir": "/var/lib/containers/storage/overlay/ba25502a77fee94d55554023f566fb4c8e1ae5a4f83d31f2f6e8993a2ecf5b9a/diff",
"WorkDir": "/var/lib/containers/storage/overlay/ba25502a77fee94d55554023f566fb4c8e1ae5a4f83d31f2f6e8993a2ecf5b9a/work"
}
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:ba25502a77fee94d55554023f566fb4c8e1ae5a4f83d31f2f6e8993a2ecf5b9a"
]
},
"Labels": {
"io.buildah.version": "1.11.6",
"name": "rhel-base"
},
"Annotations": {},
"ManifestType": "application/vnd.oci.image.manifest.v1+json",
"User": "",
"History": [
{
"created": "2020-04-01T04:14:01.539926813Z",
"created_by": "/bin/sh"
}
]
}
]
使用 rhel-base 容器镜像,创建一个容器。在退出时,使用 --rm 选项删除容器。完成后,退出容器。
[root@localhost ~]# podman run --rm -it localhost/rhel-base /bin/bashbash-4.4# cat /etc/reredhat-release resolv.confbash-4.4# cat /etc/redhat-releaseRed Hat Enterprise Linux release 8.1 (Ootpa)
删除 working-container 容器,localhost/rhel-base镜像就可以正常的使用了。
[root@localhost ~]# buildah rm working-container95a45bd8949a26cfd2eca3d95dad1148247dd08409d8d2d2521da21cfbbe64bf[root@localhost ~]# buildah imagesREPOSITORY TAG IMAGE ID CREATED SIZElocalhost/rhel-base latest 06a5c0b89137 2 minutes ago 303 MB