本文详细介绍了如何使用Podman在Linux系统中为普通用户设置容器开机自启,包括创建容器、生成 systemd 服务文件、配置cgroups和storage.conf,并演示了如何创建网络、修改配置和部署web应用。
容器开机自启
#创建容器
[root@localhost ~]# podman create --name nginx nginx
✔ docker.io/library/nginx:latest
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 44be98c0fab6 done
Copying blob 881ff011f1c9 done
Copying blob e5ae68f74026 done
Copying blob ed835de16acd done
Copying blob 77700c52c969 done
Copying blob 21e0df283cd6 done
Copying config f652ca386e done
Writing manifest to image destination
Storing signatures
066afb3e2a7434c1ec57d70d05f5ce8caafb9281df28a745c676dcd2c7e172de
#生成开机自启文件
[root@localhost ~]# podman generate systemd --files --name nginx
/root/container-nginx.service
[root@localhost ~]# mv container-nginx.service /usr/lib/systemd/system/
[root@localhost ~]# systemctl enable --now container-nginx
Created symlink /etc/systemd/system/multi-user.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service.
Created symlink /etc/systemd/system/default.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service.
[root@localhost ~]# systemctl status container-nginx
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/usr/lib/systemd/system/container-nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2021-12-15 00:59:20 EST; 12s ago
普通用户设置容器开机自启
在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置
cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,必须切换到备用OCI运行时crun
[root@localhost ~]# yum -y install crun
[root@localhost ~]# vim /usr/share/containers/containers.conf
runtime = "crun" 取消#
#runtime = "runc" 注释掉
配置storage.conf文件
[root@localhost ~]# vim /etc/containers/storage.conf
mount_program = "/usr/bin/fuse-overlayfs" #取消注释
#创建用户
[root@localhost ~]# useradd nea
[root@localhost ~]# echo "1" | passwd --stdin nea
[root@localhost ~]# ssh nea@192.168.8.135
The authenticity of host '192.168.8.135 (192.168.8.135)' can't be established.
ECDSA key fingerprint is SHA256:dzzlHSpB1lpDe/bgiyOkjCtNZKcqZAe3Tc4CSG5ae9s.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.8.135' (ECDSA) to the list of known hosts.
nea@192.168.8.135's password:
Last login: Wed Dec 15 01:26:08 2021 from 192.168.8.1
[nea@localhost ~]$
#必须在家目录下创建此目录。不能跟改名字
[nea@localhost ~]$ mkdir -p ~/.config/systemd/user
[nea@localhost ~]$ cd ~/.config/systemd/user
#创建容器
[nea@localhost user]$ podman run -d --name test nginx
[nea@localhost user]$ podman generate systemd --name test --files --new
#停止容器
[nea@localhost user]$ podman stop test
test
[nea@localhost user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
#如果不是ssh登陆或重新进入linux系统的需重新加载系统服务
[nea@localhost user]$ systemctl --user daemon-reload
[nea@localhost user]$ systemctl --user enable --now container-test.service
Created symlink /home/nea/.config/systemd/user/multi-user.target.wants/container-test.service → /home/nea/.config/systemd/user/container-test.service.
Created symlink /home/nea/.config/systemd/user/default.target.wants/container-test.service → /home/nea/.config/systemd/user/container-test.service.
[nea@localhost user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2c79cfc6f4f7 docker.io/library/nginx:latest nginx -g daemon o... 6 seconds ago Up 6 seconds ago test
[nea@localhost user]$ systemctl --user status container-test.service
● container-test.service - Podman container-test.service
Loaded: loaded (/home/nea/.config/systemd/user/container-test.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-12-15 01:44:49 EST; 9min ago
Docs: man:podman-generate-systemd(1)
Process: 19217 ExecStartPre=/bin/rm -f /run/user/1001/container-test.service.ctr-id (code=exited, status=0/SUCCESS)
Main PID: 19257 (conmon)
CGroup: /user.slice/user-1001.slice/user@1001.service/container-test.service
├─19251 /usr/bin/fuse-overlayfs -o ,lowerdir=/home/nea/.local/share/containers/storage/overlay/l/5S2WLHYYVZAJ3G7TOACCLLOJ52:/home/nea/.local/share/>
├─19253 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1001/ne>
├─19257 /usr/bin/conmon --api-version 1 -c 2c79cfc6f4f71f1c4bbb69240883347d9da098ae26147c463d904fe61f75cf8b -u 2c79cfc6f4f71f1c4bbb69240883347d9da0>
├─19260 nginx: master process nginx -g daemon off;
├─19286 nginx: worker process
└─19287 nginx: worker process
lines 1-13/13 (END)
Podman网络
[root@localhost ~]# podman inspect nginx |grep -i ipaddr
"IPAddress": "10.88.0.2",
"IPAddress": "10.88.0.2",
创建网络
[root@localhost ~]# podman network create newnetwork
/etc/cni/net.d/newnetwork.conflist
[root@localhost ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
37c09853ac48 newnetwork 0.4.0 bridge,portmap,firewall,tuning
修改新生成的网络配置文件的子网和网关或者创建时使用–subnet 指定网段和子网掩码,–gateway指定网关
[root@localhost ~]# vim /etc/cni/net.d/newnetwork.conflist
···
"cniVersion": "0.4.0",
"name": "newnetwork",
"plugins": [
{
"type": "bridge",
"bridge": "cni-podman1",
"isGateway": true,
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"routes": [
{
"dst": "0.0.0.0/0"
}
],
"ranges": [
[
{
"subnet": "10.89.0.0/24",
"gateway": "10.89.0.1"
}
]
]
}
},
修改/usr/share/containers/containers.conf文件设置默认网络为新创建的网络
[root@localhost ~]# vim /usr/share/containers/containers.conf
#default_network = "podman"
default_network = "newnetwork"
创建容器
[root@localhost ~]# podman run -d --name web nginx
[root@localhost ~]# podman inspect web |grep -i ipaddr
"IPAddress": "10.89.0.2",
"IPAddress": "10.89.0.2",
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:a2:2a:59 brd ff:ff:ff:ff:ff:ff
inet 192.168.8.135/24 brd 192.168.8.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fea2:2a59/64 scope link
valid_lft forever preferred_lft forever
3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 8e:aa:3f:8c:b2:49 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::8caa:3fff:fe8c:b249/64 scope link
valid_lft forever preferred_lft forever
4: vethb1f1f1af@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether 9a:f2:de:2c:de:83 brd ff:ff:ff:ff:ff:ff link-netns cni-1c72847f-e2e7-6b46-3775-ec3bcbd83b6c
inet6 fe80::98f2:deff:fe2c:de83/64 scope link
valid_lft forever preferred_lft forever
5: cni-podman1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 22:ad:fe:39:10:a6 brd ff:ff:ff:ff:ff:ff
inet 10.89.0.1/24 brd 10.89.0.255 scope global cni-podman1
valid_lft forever preferred_lft forever
inet6 fe80::20ad:feff:fe39:10a6/64 scope link
valid_lft forever preferred_lft forever
6: veth1811ed22@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman1 state UP group default
link/ether 4a:3e:f5:e6:f1:04 brd ff:ff:ff:ff:ff:ff link-netns cni-003fba9d-b514-6b67-4b23-5927e4fd1f4e
inet6 fe80::483e:f5ff:fee6:f104/64 scope link
valid_lft forever preferred_lft forever
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
