1 基础知识
1.1 podman的介绍
– podman是Pod Manager的缩写
– podman是一种管理容器和镜像以及容器的卷
1.2 podman的功能
– 支持多种容器镜像格式,包括OCI(Open Containers Initiative)和Docker镜像
– 支持镜像的全面管理,包括源提取、查找、创建、推送到注册表和其他存储后端
– 支持容器生命周期的全名管理,包括查找、创建、运行、检查点、恢复和删除
– 支持管理CNI、Netavak和slirp4netns全面容器网络
– 支持共享资源以及Pod、容器组
– 支持容器以root或非root身份运行容器和Pod
– 支持容器和Pod的资源隔离
– 支持支持类似Docker的命令行界面(CLI)
1.3 podman的架构
– podman,即服务端,提供REST API、兼容Docker接口和开放的高级Podman接口
– podman-remote,即客户端,用于连接和管理服务端
1.4 podman的特点
– podman是一个无守护进程(提高安全性和降低资源利用率)、开源的Linux原生工具
– podman依赖于OCI的容器运行时(runc、crun、runv等)与操作系统交互并创建运行的容器
– podman使用libpod库管理整个容器生态系统(包括pod、容器、容器镜像和容器卷)
– podman支持维护和修改OCI容器镜像的所有命令和功能
2 最佳实践
2.1 环境信息
OS = RHEL 9.x x86_64
IP Address = 10.168.0.168
Host Name = any
2.2 部署podman服务端
2.2.1 安装软件包
dnf install -y podman
2.2.2 测试安装软件包
podman -v
可见如下显示,
podman version 3.3.1
2.2.3 使用帮助
podman --help
可见如下显示,
Manage pods, containers and images Usage: podman [options] [command] Available Commands: attach Attach to a running container auto-update Auto update containers according to their auto-update policy build Build an image using instructions from Containerfiles commit Create new image based on the changed container container Manage containers #...
2.2.4 启用API服务
/usr/bin/podman --log-level=debug system service
运行以上命令调试(默认5秒自动退出),如果遇到如下错误提示,
DEBU[0000] Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument
你需要使用如下命令解决依赖关系,
cat <<EOF | sudo -E tee /etc/yum.repos.d/kata-containers.repo [UEK-Release-7] name=UEK-Release-7 baseurl=https://public-yum.oracle.com/repo/OracleLinux/OL9/UEKR7/x86_64/ enabled=1 gpgcheck=0 [Oracle-Cloud-Native-Environment-1.8] name=Oracle-Cloud-Native-Environment-1.8 baseurl=https://public-yum.oracle.com/repo/OracleLinux/OL9/olcne18/x86_64/ enabled=1 gpgcheck=0 EOF dnf install -y crun kata-runtime ( set -e ARCH=$(uname -m) URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH} wget ${URL}/runsc ${URL}/runsc.sha512 \ ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512 sha512sum -c runsc.sha512 \ -c containerd-shim-runsc-v1.sha512 rm -f *.sha512 chmod a+rx runsc containerd-shim-runsc-v1 sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin )
解决服务异常后,我们使用如下命令修改脚本,
vim /usr/lib/systemd/system/podman.service
参数修改如下,
[Unit] Description=Podman API Service Requires=podman.socket After=podman.socket Documentation=man:podman-system-service(1) StartLimitIntervalSec=0 [Service] Type=exec KillMode=process Environment=LOGGING="--log-level=info" ExecStart=/usr/bin/podman $LOGGING system service -t 0 ExecStartPost=/usr/bin/chown podman:podman -R /run/podman [Install] WantedBy=multi-user.target
根据以上脚本的需求,我们需要创建如下普通用户,
groupadd podman useradd -g podman -d /var/lib/podman podman echo podmanpwd | passwd --stdin podman
另外,以上重点修改“ExecStart”行增加“-t 0”参数,即启动API后一直倾听,修改后请运行如下命令使服务生效,
systemctl daemon-reload
服务生效后,请使用如下命令启动并设置无法默认启动,
systemctl start podman.service systemctl enable podman.service systemctl status podman.service
启动后,请使用如下命令确认sock文件存在,
ls -l /run/podman/podman.sock
可见如下显示,
srw-rw----. 1 podman podman 0 Apr 7 14:12 /run/podman/podman.sock
2.2.5 开启用户会话保持
loginctl enable-linger podman
命令启用用户的 linger(保持)设置,让用户会话在用户注销后继续运行,如果需要逆向操作,请执行以下命令,
loginctl disable-linger podman
2.3 部署podman客户端
2.3.1 安装软件包
In Windows Client,
https://github.com/containers/podman/releases/download/v3.3.1/podman-v3.3.1.msi
注:下载直接安装即可(相信不用教都会)
In Linux Client,
dnf install -y podman-remote
2.3.2 测试客户端连接
In Windows Client,
podman.exe system connection add podman ssh://podman@10.168.0.168/run/podman/podman.sock podman.exe system connection list podman.exe images podman.exe system connection remove podman
In Linux Client,
podman-remote system connection add podman ssh://podman@10.168.0.168/run/podman/podman.sock podman-remote system connection list podman-remote images podman-remote system connection remove podman
2.3.3 使用公钥验证
In Linux Client,
ssh-keygen -t ed25519 -P '' -f ~/.ssh/id_ed25519 ssh-copy-id -i ~/.ssh/id_ed25519.pub podman@10.168.0.168 ssh -i ~/.ssh/id_ed25519 podman@10.168.0.168
以上创建公钥验证的秘钥并复制公钥到服务端,然后使用私钥向服务器发送请求,
podman-remote system connection add podman --identity ~/.ssh/id_ed25519 ssh://podman@10.168.0.168/run/podman/podman.sock podman-remote system connection list podman-remote images podman system connection remove podman
In Windows Client,
podman.exe system connection add podman --identity d:/id_ed25519 ssh://podman@10.168.0.168/run/podman/podman.sock podman.exe system connection list podman.exe images podman.exe system connection remove podman
注:证书可以使用Linux创建然后复制到上面命令引用的证书路径“d:/id_ed25519”。
2.4 使用企业内部的镜像源服务器
参阅文档
====================
官方首页
————–
https://podman.io/
简介
————–
https://docs.podman.io/en/latest/
安装教程
————
https://podman.io/getting-started/installation
命令
———–
https://docs.podman.io/en/latest/Commands.html
github
————
https://github.com/containers/podman
github releases
—————
https://github.com/containers/podman/releases
kata运行时的安装
—————
https://github.com/kata-containers/documentation/blob/master/install/centos-installation-guide.md
https://katacontainers.io/software/
runsc运行时github
——————
https://github.com/google/gvisor
runsc运行时的安装
——————-
https://gvisor.dev/docs/user_guide/install/
podman system service的使用
——————————
https://docs.podman.io/en/latest/markdown/podman-system-service.1.html
远程客户端的使用
—————-
https://github.com/containers/podman/blob/main/docs/tutorials/remote_client.md
没有评论