如何编译部署podman?

容器技术

1 基础知识

1.1 podman的介绍

– podman是Pod Manager的缩写
– podman是一种管理容器和镜像以及容器的卷

1.2 podman的功能

– 支持多种容器镜像格式,包括OCI(Open Containers Initiative)和Docker镜像
– 支持镜像的全面管理,包括源提取、查找、创建、推送到注册表和其他存储后端
– 支持容器生命周期的全名管理,包括查找、创建、运行、检查点、恢复和删除
– 支持管理CNI、Netavak和slirp4netns全面容器网络
– 支持共享资源以及Pod、容器组
– 支持容器以root或非root身份运行容器和Pod
– 支持容器和Pod的资源隔离
– 支持支持类似Docker的命令行界面(CLI)

1.3 podman的架构

– podman,即服务端,提供REST API、兼容Docker接口和开放的高级Podman接口
– podman-remote,即客户端,用于连接和管理服务端

1.4 podman的特点

– podman是一个无守护进程(提高安全性和降低资源利用率)、开源的Linux原生工具
– podman依赖于OCI的容器运行时(runc、crun、runv等)与操作系统交互并创建运行的容器
– podman使用libpod库管理整个容器生态系统(包括pod、容器、容器镜像和容器卷)
– podman支持维护和修改OCI容器镜像的所有命令和功能

2 最佳实践

2.1 环境信息

OS = RHEL 8.5 x86_64
IP Address = 10.168.0.168
Host Name = podman.cmdschool.org

2.2 安装前的准备

2.2.1 配置安装源

vim /etc/yum.repos.d/Centos-8.5.2111.repo

加入如下配置,

[base]
name=CentOS-8.5.2111 - Base
baseurl=https://vault.centos.org/8.5.2111/BaseOS/$basearch/os/
gpgcheck=0

#additional packages that may be useful
[extras]
name=CentOS-8.5.2111 - Extras
baseurl=https://vault.centos.org/8.5.2111/extras/$basearch/os/
gpgcheck=0

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-8.5.2111 - Plus
baseurl=https://vault.centos.org/8.5.2111/centosplus/$basearch/os/
gpgcheck=0

[PowerTools]
name=CentOS-8.5.2111 - PowerTools
baseurl=https://vault.centos.org/8.5.2111/PowerTools/$basearch/os/
gpgcheck=0

另外,由于某些包找不到,我们需要配置CentOS7的包,

vim /etc/yum.repos.d/CentOS-7.8-x86_64.repo

加入如下配置,

[base]
name=CentOS-$releasever - Base
baseurl=https://vault.centos.org/7.8.2003/os/$basearch/
gpgcheck=1
gpgkey=https://vault.centos.org/7.8.2003/os/x86_64/RPM-GPG-KEY-CentOS-7

#released updates
[updates]
name=CentOS-$releasever - Updates
baseurl=https://vault.centos.org/7.8.2003/updates/$basearch/
gpgcheck=1
gpgkey=https://vault.centos.org/7.8.2003/os/x86_64/RPM-GPG-KEY-CentOS-7

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
baseurl=https://vault.centos.org/7.8.2003/extras/$basearch/
gpgcheck=1
gpgkey=https://vault.centos.org/7.8.2003/os/x86_64/RPM-GPG-KEY-CentOS-7

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
baseurl=https://vault.centos.org/7.8.2003/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://vault.centos.org/7.8.2003/os/x86_64/RPM-GPG-KEY-CentOS-7

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
baseurl=https://vault.centos.org/7.8.2003/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://vault.centos.org/7.8.2003/os/x86_64/RPM-GPG-KEY-CentOS-7

2.2.2 卸载默认的安装包

yum remove -y podman*

2.1.3 安装编译工具

yum install -y golang make 

2.1.4 安装辅助工具

yum install -y git unzip

2.1.4 下载软件包

cd ~
wget https://github.com/containers/podman/archive/refs/tags/v4.0.3.tar.gz -O podman-v4.0.3.tar.gz
wget https://github.com/containers/conmon/releases/download/v2.1.0/conmon-x86.zip

2.2 部署podman服务端

2.2.1 解压软件包

tar -xf podman-v4.0.3.tar.gz

2.2.2 编译软件包

cd ~/podman-4.0.3/
make BUILDTAGS="selinux seccomp systemd"

编译的标签,请参阅下表,

Build Tag Feature Dependency
apparmor apparmor support libapparmor
exclude_graphdriver_btrfs exclude btrfs libbtrfs
exclude_graphdriver_devicemapper exclude device-mapper libdm
libdm_no_deferred_remove exclude deferred removal in libdm libdm
seccomp syscall filtering libseccomp
selinux selinux process and mount labeling
systemd journald logging libsystemd

如果入到如下错误提示,

# github.com/coreos/go-systemd/v22/sdjournal
vendor/github.com/coreos/go-systemd/v22/sdjournal/journal.go:27:11: fatal error: systemd/sd-journal.h: No such file or directory
 // #include <systemd/sd-journal.h>
           ^~~~~~~~~~~~~~~~~~~~~~
compilation terminated.

你需要使用如下命令解决依赖关系,

yum install -y systemd-devel

如果入到如下错误提示,

# github.com/proglottis/gpgme
vendor/github.com/proglottis/gpgme/data.go:4:11: fatal error: gpgme.h: No such file or directory
 // #include <gpgme.h>
           ^~~~~~~~~
compilation terminated.

你需要使用如下命令解决依赖关系,

yum install -y gpgme-devel

如果入到如下错误提示,

# github.com/containers/storage/drivers/btrfs
vendor/github.com/containers/storage/drivers/btrfs/btrfs.go:8:10: fatal error: btrfs/ioctl.h: No suc
 #include <btrfs/ioctl.h>
          ^~~~~~~~~~~~~~~
compilation terminated.

你需要使用如下命令解决依赖关系,

yum install -y btrfs-progs-devel

如果入到如下错误提示,

# github.com/proglottis/gpgme
/usr/bin/ld: cannot find -lassuan
collect2: error: ld returned 1 exit status

你需要使用如下命令解决依赖关系,

yum install -y libassuan-devel

如果入到如下错误提示,

# pkg-config --cflags  -- devmapper
Package devmapper was not found in the pkg-config search path.
Perhaps you should add the directory containing `devmapper.pc'
to the PKG_CONFIG_PATH environment variable
Package 'devmapper', required by 'virtual:world', not found
pkg-config: exit status 1

你需要使用如下命令解决依赖关系,

yum install -y device-mapper-devel

如果入到如下错误提示,

# pkg-config --cflags  -- libseccomp libseccomp
Package libseccomp was not found in the pkg-config search path.
Perhaps you should add the directory containing `libseccomp.pc'
to the PKG_CONFIG_PATH environment variable
Package 'libseccomp', required by 'virtual:world', not found
Package 'libseccomp', required by 'virtual:world', not found
pkg-config: exit status 1

你需要使用如下命令解决依赖关系,

yum install -y libseccomp-devel

如果入到如下错误提示,

# cd .; git clone -- https://github.com/cpuguy83/go-md2man /root/go/src/github.com/cpuguy83/go-md2man
Cloning into '/root/go/src/github.com/cpuguy83/go-md2man'...
fatal: unable to access 'https://github.com/cpuguy83/go-md2man/': Failed to connect to github.com port 443: Connection refused
package github.com/cpuguy83/go-md2man: exit status 128

以上是因为git clone需要从联网下载依赖包,你可能需要配置正向代理,

如何配置Linux Proxy?

2.2.3 部署软件包

make install PREFIX=/usr

安装完成后,我们使用如下命令验证安装,

podman -v

可见如下显示,

podman version 4.0.3

2.3 部署conmon

2.3.1 解压软件包

unzip conmon-x86.zip

2.3.2 部署软件包

cd ~
unzip conmon-x86.zip
cp bin/conmon /usr/bin/conmon
chmod +x /usr/bin/conmon

部署完毕后,我们使用如下命令测试安装就绪,

conmon --version

可见如下提示,

conmon version 2.1.0
commit: d1565eeb78fa4c9a280040307844d99d10662b9f-dirty

题外话,以上安装可避免后续提示如下错误,

Error: could not find a working conmon binary (configured options: [/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon]): invalid argument

2.4 配置API服务

2.4.1 测试API的运行

/usr/bin/podman --log-level=debug system service

运行以上命令调试(默认5秒自动退出),如果遇到如下错误提示,

DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument
DEBU[0000] Configured OCI runtime crun initialization failed: no valid executable found for OCI runtime crun: invalid argument

以上为可选,如果需要安装“OCI runtime kata”请使用如下命令,

yum install -y crun

如果需要安装“OCI runtime kata”请使用如下命令,

cat <<EOF | sudo -E tee /etc/yum.repos.d/kata-containers.repo
[kata-containers]
name=kata-containers
baseurl=http://mirror.centos.org/centos-8/8.5.2111/virt/x86_64/kata-containers/
enabled=1
gpgcheck=0
EOF
yum install -y crun kata-runtime

如果需要安装“OCI runtime runsc”请使用如下命令,

(
  set -e
  ARCH=$(uname -m)
  URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
  wget ${URL}/runsc ${URL}/runsc.sha512 \
    ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
  sha512sum -c runsc.sha512 \
    -c containerd-shim-runsc-v1.sha512
  rm -f *.sha512
  chmod a+rx runsc containerd-shim-runsc-v1
  sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin
)

2.4.2 配置API服务

vim /usr/lib/systemd/system/podman.service

参数修改如下,

[Unit]
Description=Podman API Service
Requires=podman.socket
After=podman.socket
Documentation=man:podman-system-service(1)
StartLimitIntervalSec=0

[Service]
Type=exec
KillMode=process
Environment=LOGGING="--log-level=info"
ExecStart=/usr/bin/podman $LOGGING system service -t 0
ExecStartPost=/usr/bin/chown podman:podman -R /run/podman

[Install]
WantedBy=multi-user.target

根据以上脚本的需求,我们需要创建如下普通用户,

groupadd podman
useradd -g podman -d /var/lib/podman podman
echo podmanpwd | passwd --stdin podman

另外,以上重点修改“ExecStart”行增加“-t 0”参数,即启动API后一直倾听,修改后请运行如下命令使服务生效,

systemctl daemon-reload

服务生效后,请使用如下命令启动并设置无法默认启动,

systemctl start podman.service
systemctl enable podman.service
systemctl status podman.service

启动后,请使用如下命令确认sock文件存在,

ls -l /run/podman/podman.sock

可见如下显示,

srw-rw----. 1 podman podman 0 Apr  7 14:12 /run/podman/podman.sock

2.5 部署podman客户端

2.5.1 安装软件包

In Windows Client,
https://github.com/containers/podman/releases/download/v4.0.3/podman-v4.0.3.msi
注:下载直接安装即可(相信不用教都会)
In Linux Client,

podman-remote -v

注:编译会自动安装,无需额外安装!

2.5.2 测试客户端连接

In Windows Client,

podman.exe system connection add podman ssh://podman@10.168.0.168/run/podman/podman.sock
podman.exe system connection list
podman.exe images
podman.exe system connection remove podman

In Linux Client,

podman-remote system connection add podman ssh://podman@10.168.0.168/run/podman/podman.sock
podman-remote system connection list
podman-remote images
podman-remote system connection remove podman

2.5.3 使用公钥验证

In Linux Client,

ssh-keygen -t ed25519 -P '' -f ~/.ssh/id_ed25519
ssh-copy-id -i ~/.ssh/id_ed25519.pub podman@10.168.0.168
ssh -i ~/.ssh/id_ed25519 podman@10.168.0.168

以上创建公钥验证的秘钥并复制公钥到服务端,然后使用私钥向服务器发送请求,

podman-remote system connection add podman --identity ~/.ssh/id_ed25519 ssh://podman@10.168.0.168/run/podman/podman.sock
podman-remote system connection list
podman-remote images
podman system connection remove podman

In Windows Client,

podman.exe system connection add podman --identity d:/id_ed25519 ssh://podman@10.168.0.168/run/podman/podman.sock
podman.exe system connection list
podman.exe images
podman.exe system connection remove podman

注:证书可以使用Linux创建然后复制到上面命令引用的证书路径“d:/id_ed25519”。

参阅文档
====================

官方首页
————–
https://podman.io/

简介
————–
https://docs.podman.io/en/latest/

安装教程
————
https://podman.io/getting-started/installation

命令
———–
https://docs.podman.io/en/latest/Commands.html

github
————
https://github.com/containers/podman

github releases
—————
https://github.com/containers/podman/releases
https://github.com/containers/conmon/releases

kata运行时的安装
—————
https://github.com/kata-containers/documentation/blob/master/install/centos-installation-guide.md
https://katacontainers.io/software/

runsc运行时github
——————
https://github.com/google/gvisor

runsc运行时的安装
——————-
https://gvisor.dev/docs/user_guide/install/

krun
————–
https://github.com/containers/krunvm

podman system service的使用
——————————
https://docs.podman.io/en/latest/markdown/podman-system-service.1.html

远程客户端的使用
—————-
https://github.com/containers/podman/blob/main/docs/tutorials/remote_client.md

没有评论

发表回复

容器技术
如何yum部署podman?

1 基础知识 1.1 podman的介绍 – podman是Pod Manager的缩写 …