Podman基础
红帽推荐的系统版本容器 官网: https://podman.io/
与docker命令和运行是相像的
但是内部不一样
docker 运行的时候需要通过一个守护进程进行传输才会生成容器 后台: daemon,它在linux中需要以root运行,dockerd调用containerd,containerd调用containerd-shim,然后才能调用runC。顾名思义shim起的作用也就是“垫片”,避免父进程退出影响容器的运行
podman 则是直接与容器进行对话,并且不需要在root权限下运行(普通用户) podman与docker命令差不多,参数有少许区别
podman直接调用OCI,runtime(runC)运行的整体,通过common作为容器进程的管理工具,但不需要dockerd这种以root身份运行的守护进程。 在podman体系中,有个称之为common的守护进程,其运行路径通常是/usr/libexec/podman/conmon,它是各个容器进程的父进程,每个容器各有一个,common的父则通常是1号进程。podman中的common其实相当于docker体系中的containerd-shim
运行对比方式:
图中所体现的事情是,podman不需要守护进程,而dorker需要守护进程。
在这个图的示意中,dorcker的containerd-shim与podman的common被归在Container一层。
Podman的使用与docker有什么区别?
podman的定位也是与docker兼容,因此在使用上面尽量靠近docker。在使用方面,可以分成两个方面来说,一是系统构建者的角度,二是使用者的角度。
在系统构建者方面,用podman的默认软件,与docker的区别不大,只是在进程模型、进程关系方面有所区别。如果习惯了docker几个关联进程的调试方法,在podman中则需要适应。可以通过pstree命令查看进程的树状结构。总体来看,podman比docker要简单。由于podman比docker少了一层daemon,因此重启的机制也就不同了。
在使用者方面,podman与docker的命令基本兼容,都包括容器运行时(run/start/kill/ps/inspect),本地镜像(images/rmi/build)、镜像仓库(login/pull/push)等几个方面。因此podman的命令行工具与docker类似,比如构建镜像、启停容器等。甚至可以通过alias
docker=podman可以进行替换。因此,即便使用了podman,仍然可以使用http://docker.io作为镜像仓库,这也是兼容性最关键的部分。
下载podman
网络源环境的话最好使用阿里云官网centos8镜像
[root@localhost ~]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# ls
CentOS-Base.repo
[root@localhost ~]#yum -y module install container-tools配置镜像加速器
[root@localhost ~]# vi /etc/containers/registries.conf
##unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]
//注释掉
添加如下几行
unqualified-search-registries = ["docker.io"]
[[registry]]
location = "3bufl9dc.mirror.aliyuncs.com"//拉取官方源镜像
[root@localhost yum.repos.d]# podman pull centos
Resolved "centos" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull quay.io/centos/centos:latest...
Getting image source signatures
Copying blob 7a0437f04f83 done
Copying config 300e315adb done
Writing manifest to image destination
Storing signatures
300e315adb2f96afe5f0b2780b87f28ae95231fe3bdd1e16b9ba606307728f55
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest beae173ccac6 7 months ago 1.46 MB
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB这里需要进入官方镜像仓库才能拉取
测试拉取私人镜像
[root@localhost ~]# podman pull servicestt/l1:v0.1 //这里可以默认直接拉取
Resolving "servicestt/l1" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/servicestt/l1:v0.1...
Getting image source signatures
Copying blob 5cc84ad355aa skipped: already exists
Copying blob 4c31813773a8 done
Copying config d71dd4dae3 done
Writing manifest to image destination
Storing signatures
d71dd4dae383f9d8b175ed36a092cf16a01ff0694a6e5786dafad8cc18207765推送镜像
认证权限
[root@localhost ~]# podman login docker.io
Username: servicestt
Password:
Login Succeeded!
[root@localhost ~]# podman push docker.io/servicestt/l1:v0.2
Getting image source signatures
Copying blob 1da636a1aa95 done
Copying blob 15e4bf5d0804 done
Copying blob 9cff3206f9a6 done
Copying blob 2edcec3590a4 done
Copying blob deefaa620a71 done
Copying config dabbfbe0c5 done
Writing manifest to image destination
Storing signatures可以查出多了个v0.2版本镜像
删除本地镜像 从仓库中拉取私人镜像
[root@localhost ~]# podman rmi docker.io/servicestt/l1:v0.2
Untagged: docker.io/servicestt/l1:v0.2
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@localhost ~]# podman pull servicestt/l1:v0.2
Resolving "servicestt/l1" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/servicestt/l1:v0.2...
Getting image source signatures
Copying blob ef7255fe9b30 skipped: already exists
Copying blob 7a8dc8979745 skipped: already exists
Copying blob 2fa2d6f8d839 skipped: already exists
Copying blob bc6acb54c865 skipped: already exists
Copying blob 441b03d7d03a [--------------------------------------] 0.0b / 0.0b
Copying config dabbfbe0c5 done
Writing manifest to image destination
Storing signatures
dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/servicestt/l1 v0.2 dabbfbe0c57b 7 months ago 148 MB扩展实验
运行容器印射一个80端口
[root@localhost ~]# podman run -dit --name web -p80:80 httpd
fa2e3666428b9195e6c987cbd645bff7b2fee241f214e997e9769fe2943d6a40
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fa2e3666428b docker.io/library/httpd:latest httpd-foreground 8 seconds ago Up 8 seconds ago 0.0.0.0:80->80/tcp web
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@localhost ~]# podman port web
80/tcp -> 0.0.0.0:80
[root@localhost ~]# curl 192.168.47.137:80
<html><body><h1>It works!</h1></body></html>查看详细信息
[root@localhost ~]# podman inspect web
[
{
"Id": "fa2e3666428b9195e6c987cbd645bff7b2fee241f214e997e9769fe2943d6a40",
"Created": "2022-08-12T10:57:45.046714864+08:00",
"Path": "httpd-foreground",
"Args": [
"httpd-foreground"
],
"State": {
"OciVersion": "1.0.2-dev",
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 17842,
"ConmonPid": 17833,
"ExitCode": 0,
"Error": "",
"StartedAt": "2022-08-12T10:57:45.63847444+08:00",
"FinishedAt": "0001-01-01T00:00:00Z",
"Healthcheck": {
"Status": "",进入容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fa2e3666428b docker.io/library/httpd:latest httpd-foreground 11 hours ago Up 11 hours ago 0.0.0.0:80->80/tcp web
[root@localhost ~]# podman exec -it web /bin/bash
root@fa2e3666428b:/usr/local/apache2# ls
bin build cgi-bin conf error htdocs icons include logs modules
