1 基础知识
1.1 podman的介绍
– podman是Pod Manager的缩写
– podman是一种管理容器和镜像以及容器的卷
1.2 podman的功能
– 支持多种容器镜像格式,包括OCI(Open Containers Initiative)和Docker镜像
– 支持镜像的全面管理,包括源提取、查找、创建、推送到注册表和其他存储后端
– 支持容器生命周期的全名管理,包括查找、创建、运行、检查点、恢复和删除
– 支持管理CNI、Netavak和slirp4netns全面容器网络
– 支持共享资源以及Pod、容器组
– 支持容器以root或非root身份运行容器和Pod
– 支持容器和Pod的资源隔离
– 支持支持类似Docker的命令行界面(CLI)
1.3 podman的架构
– podman,即服务端,提供REST API、兼容Docker接口和开放的高级Podman接口
– podman-remote,即客户端,用于连接和管理服务端
1.4 podman的特点
– podman是一个无守护进程(提高安全性和降低资源利用率)、开源的Linux原生工具
– podman依赖于OCI的容器运行时(runc、crun、runv等)与操作系统交互并创建运行的容器
– podman使用libpod库管理整个容器生态系统(包括pod、容器、容器镜像和容器卷)
– podman支持维护和修改OCI容器镜像的所有命令和功能
2 最佳实践
2.1 环境信息
OS = Ubuntu 24.04.4 LTS
IP Address = 10.168.0.168
Host Name = any
2.2 部署podman服务端
2.2.1 安装软件包
apt install -y podman
2.2.2 测试安装软件包
podman -v
可见如下显示,
podman version 4.9.3
2.2.3 使用帮助
podman --help
可见如下显示,
Manage pods, containers and images Usage: podman [options] [command] Available Commands: attach Attach to a running container auto-update Auto update containers according to their auto-update policy build Build an image using instructions from Containerfiles commit Create new image based on the changed container compose Run compose workloads via an external provider such as docker-compose or podman-compose container Manage containers #...
2.2.4 启用API服务
/usr/bin/podman --log-level=debug system service
运行以上命令调试(默认5秒自动退出),正常可见如下信息,
INFO[0000] /usr/bin/podman filtering at log level debug DEBU[0000] Called service.PersistentPreRunE(/usr/bin/podman --log-level=debug system service) DEBU[0000] Using conmon: "/usr/bin/conmon" INFO[0000] Using sqlite as database backend DEBU[0000] Using graph driver DEBU[0000] Using graph root /var/lib/containers/storage DEBU[0000] Using run root /run/containers/storage DEBU[0000] Using static dir /var/lib/containers/storage/libpod DEBU[0000] Using tmp dir /run/libpod DEBU[0000] Using volume path /var/lib/containers/storage/volumes DEBU[0000] Using transient store: false DEBU[0000] Cached value indicated that overlay is supported DEBU[0000] Cached value indicated that overlay is supported DEBU[0000] Cached value indicated that metacopy is not being used DEBU[0000] Cached value indicated that native-diff is usable DEBU[0000] backingFs=extfs, projectQuotaSupported=false, useNativeDiff=true, usingMetacopy=false INFO[0000] [graphdriver] using prior storage driver: overlay DEBU[0000] Initializing event backend journald DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument DEBU[0000] Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument DEBU[0000] Using OCI runtime "/usr/bin/crun" INFO[0000] Setting parallel job count to 37 DEBU[0000] registered SIGHUP watcher for config INFO[0000] API service listening on "/run/podman/podman.sock". URI: "unix:///run/podman/podman.sock" DEBU[0000] CORS Headers were not set DEBU[0000] waiting for SIGHUP to reload configuration DEBU[0005] API service(s) shutting down, idle for 5s DEBU[0005] API service shutdown, 0/0 connection(s) DEBU[0005] API service forced shutdown, ignoring timeout Duration DEBU[0005] Called service.PersistentPostRunE(/usr/bin/podman --log-level=debug system service) DEBU[0005] Shutting down engines
然后,我们使用如下命令修改脚本,
vim /usr/lib/systemd/system/podman.service
参数修改如下,
[Unit] Description=Podman API Service Requires=podman.socket After=podman.socket Documentation=man:podman-system-service(1) StartLimitIntervalSec=0 [Service] Type=exec KillMode=process Environment=LOGGING="--log-level=info" ExecStart=/usr/bin/podman $LOGGING system service -t 0 ExecStartPost=/usr/bin/chown podman:podman -R /run/podman [Install] WantedBy=multi-user.target
根据以上脚本的需求,我们需要创建如下普通用户,
groupadd podman useradd -g podman -d /var/lib/podman podman echo podmanpwd | passwd --stdin podman
另外,以上重点修改“ExecStart”行增加“-t 0”参数,即启动API后一直倾听,修改后请运行如下命令使服务生效,
systemctl daemon-reload
服务生效后,请使用如下命令启动并设置无法默认启动,
systemctl start podman.service systemctl enable podman.service systemctl status podman.service
然后,我们使用如下命令修改脚本,
vim /usr/lib/systemd/system/podman.socket
参数修改如下,
[Unit] Description=Podman API Socket Documentation=man:podman-system-service(1) [Socket] ListenStream=/run/podman/podman.sock ExecStartPost=/usr/bin/chown podman:podman -R /run/podman ExecStartPost=/usr/bin/chmod 775 /run/podman SocketMode=0660 [Install] WantedBy=sockets.target
修改后请运行如下命令使服务生效,
systemctl daemon-reload systemctl restart podman.socket
启动后,请使用如下命令确认sock文件存在,
ls -l /run/podman/podman.sock
可见如下显示,
srw-rw---- 1 podman podman 0 Apr 7 10:56 /run/podman/podman.sock
2.2.5 开启用户会话保持
loginctl enable-linger podman
命令启用用户的 linger(保持)设置,让用户会话在用户注销后继续运行,如果需要逆向操作,请执行以下命令,
loginctl disable-linger podman
2.3 部署podman客户端
2.3.1 安装软件包
In Windows Client,
https://github.com/containers/podman/releases/download/v3.3.1/podman-v3.3.1.msi
注:下载直接安装即可(相信不用教都会)
In Linux Client,
apt install -y podman-remote
2.3.2 测试客户端连接
In Windows Client,
podman.exe system connection add podman ssh://podman@10.168.0.168/run/podman/podman.sock podman.exe system connection list podman.exe images podman.exe system connection remove podman
In Linux Client,
podman-remote system connection add podman ssh://podman@10.168.0.168/run/podman/podman.sock podman-remote system connection list podman-remote images podman-remote system connection remove podman
2.3.3 使用公钥验证
In Linux Client,
ssh-keygen -t ed25519 -P '' -f ~/.ssh/id_ed25519 ssh-copy-id -i ~/.ssh/id_ed25519.pub podman@10.168.0.168 ssh -i ~/.ssh/id_ed25519 podman@10.168.0.168
以上创建公钥验证的秘钥并复制公钥到服务端,然后使用私钥向服务器发送请求,
podman-remote system connection add podman --identity ~/.ssh/id_ed25519 ssh://podman@10.168.0.168/run/podman/podman.sock podman-remote system connection list podman-remote images podman system connection remove podman
In Windows Client,
podman.exe system connection add podman --identity d:/id_ed25519 ssh://podman@10.168.0.168/run/podman/podman.sock podman.exe system connection list podman.exe images podman.exe system connection remove podman
注:证书可以使用Linux创建然后复制到上面命令引用的证书路径“d:/id_ed25519”。
2.4 使用企业内部的镜像源服务器
参阅文档
====================
官方首页
————–
https://podman.io/
简介
————–
https://docs.podman.io/en/latest/
安装教程
————
https://podman.io/getting-started/installation
命令
———–
https://docs.podman.io/en/latest/Commands.html
github
————
https://github.com/containers/podman
github releases
—————
https://github.com/containers/podman/releases
kata运行时的安装
—————
https://github.com/kata-containers/documentation/blob/master/install/centos-installation-guide.md
https://katacontainers.io/software/
runsc运行时github
——————
https://github.com/google/gvisor
runsc运行时的安装
——————-
https://gvisor.dev/docs/user_guide/install/
podman system service的使用
——————————
https://docs.podman.io/en/latest/markdown/podman-system-service.1.html
远程客户端的使用
—————-
https://github.com/containers/podman/blob/main/docs/tutorials/remote_client.md
没有评论