podman网络
创建网络
[root@localhost ~]# podman network create mynetwork
/etc/cni/net.d/mynetwork.conflist
[root@localhost ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
6d1b23123e26 mynetwork 0.4.0 bridge,portmap,firewall,tuning
修改新生成的网络配置文件的子网和网关或者创建时使用–subnet 指定网段和子网掩码,–gateway指定网关
[root@localhost ~]# cat /etc/cni/net.d/mynetwork.conflist
{
"cniVersion": "0.4.0",
"name": "mynetwork",
"plugins": [
{
"type": "bridge",
"bridge": "cni-podman1",
"isGateway": true,
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"routes": [
{
"dst": "0.0.0.0/0"
}
],
"ranges": [
[
{
"subnet": "10.89.0.0/24",
"gateway": "10.89.0.1"
}
]
]
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
},
{
"type": "firewall",
"backend": ""
},
{
"type": "tuning"
}
]
}
修改/usr/share/containers/containers.conf文件设置默认网络为新创建的网络
[root@localhost ~]# vim /usr/share/containers/containers.conf
[network]
# Path to directory where CNI plugin binaries are located.
#
#cni_plugin_dirs = [
# "/usr/local/libexec/cni",
# "/usr/libexec/cni",
# "/usr/local/lib/cni",
# "/usr/lib/cni",
# "/opt/cni/bin",
#]
# The network name of the default CNI network to attach pods to.
default_network = "mynetwork" #添加这一行
#default_network = "podman"
创建容器查看网络
[root@localhost ~]# podman run -d --name web1 docker.io/library/httpd
9c0edcc3302cf254fe366a39b4359102ca55b6aca173bc5feda9e20aff89c274
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9c0edcc3302c docker.io/library/httpd:latest httpd-foreground 26 seconds ago Up 26 seconds ago web1
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:c7:fd:07 brd ff:ff:ff:ff:ff:ff
inet 192.168.47.131/24 brd 192.168.47.255 scope global dynamic noprefixroute ens160
valid_lft 1617sec preferred_lft 1617sec
inet6 fe80::3f21:90c:b838:a699/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 4e:12:79:83:f8:b9 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::4c12:79ff:fe83:f8b9/64 scope link
valid_lft forever preferred_lft forever
9: cni-podman1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 66:3e:c6:fe:fd:6d brd ff:ff:ff:ff:ff:ff
inet 10.89.0.1/24 brd 10.89.0.255 scope global cni-podman1
valid_lft forever preferred_lft forever
inet6 fe80::643e:c6ff:fefe:fd6d/64 scope link
valid_lft forever preferred_lft forever
10: vethb11b540c@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman1 state UP group default
link/ether 8a:7b:7c:6f:ed:97 brd ff:ff:ff:ff:ff:ff link-netns cni-086c6872-4095-8410-8ff5-6e5d3635c7bd
inet6 fe80::887b:7cff:fe6f:ed97/64 scope link
valid_lft forever preferred_lft forever
//删除容器,在查看
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9c0edcc3302c docker.io/library/httpd:latest httpd-foreground About a minute ago Up About a minute ago web1
[root@localhost ~]# podman rm -f web1
9c0edcc3302cf254fe366a39b4359102ca55b6aca173bc5feda9e20aff89c274
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:c7:fd:07 brd ff:ff:ff:ff:ff:ff
inet 192.168.47.131/24 brd 192.168.47.255 scope global dynamic noprefixroute ens160
valid_lft 1552sec preferred_lft 1552sec
inet6 fe80::3f21:90c:b838:a699/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 4e:12:79:83:f8:b9 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::4c12:79ff:fe83:f8b9/64 scope link
valid_lft forever preferred_lft forever
9: cni-podman1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 66:3e:c6:fe:fd:6d brd ff:ff:ff:ff:ff:ff
inet 10.89.0.1/24 brd 10.89.0.255 scope global cni-podman1
valid_lft forever preferred_lft forever
inet6 fe80::643e:c6ff:fefe:fd6d/64 scope link
valid_lft forever preferred_lft forever
查看子命令的用法
//查看attach这个子命令的用法
[root@localhost ~]# man podman-attach
EXAMPLES
Attach to a container called "foobar".
$ podman attach foobar
Attach to the latest created container.
$ podman attach --latest
Attach to a container that start with the ID "1234".
$ podman attach 1234
Attach to a container without attaching STDIN.
$ podman attach --no-stdin foobar
SEE ALSO
podman(1), podman-exec(1), podman-run(1),
containers.conf(5)
~
~
/EXAMPLE #可在下面搜索例子
Podman防火墙规则
//查看防火墙规则,现在没有规则
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
//运行一个容器,映射80端口
[root@localhost ~]# podman run -d -p 80:80 --name web01 docker.io/library/httpd
bad233cff17143094ba0b44f8e65a85dd40234d27f121b702443d4edaf55e69d
//查看端口映射
[root@localhost ~]# podman port web01
80/tcp -> 0.0.0.0:80
//查看防火墙规则,发现多了一条
[root@localhost ~]# iptables -t nat -nvL
......
Chain CNI-9bc35f3b80829bfcd0a25e88 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 10.89.0.0/24 /* name: "mynetwork" id: "d85b69ff0956c4373c8315b305dbe0ae3343e8868107e9d4f501b11b5268a227" */
0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "mynetwork" id: "d85b69ff0956c4373c8315b305dbe0ae3343e8868107e9d4f501b11b5268a227" */
Chain CNI-DN-9bc35f3b80829bfcd0a25 (1 references)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.89.0.0/24 0.0.0.0/0 tcp dpt:80
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.89.0.3:80
```
//访问测试
//清空防火墙规则
[root@localhost ~]# iptables --flush #刷新
[root@localhost ~]# iptables -t nat -F #指定表清空
[root@localhost ~]# iptables -t nat -nvL #规则已被清空
Chain PREROUTING (policy ACCEPT 7 packets, 1315 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 7 packets, 1315 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 37 packets, 2473 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 37 packets, 2473 bytes)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-SETMARK (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-MASQ (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-DNAT (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-67732b1bf0d3494c4bc76eb6 (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-DN-67732b1bf0d3494c4bc76 (0 references)
pkts bytes target prot opt in out source destination
//规则删除后发现访问不了
//使用podman network reload 命令重新加载,规则存在
[root@localhost ~]# podman network reload web01
d85b69ff0956c4373c8315b305dbe0ae3343e8868107e9d4f501b11b5268a227
[root@localhost ~]# iptables -t nat -nvL
Chain CNI-DN-9bc35f3b80829bfcd0a25 (1 references)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.89.0.0/24 0.0.0.0/0 tcp dpt:80
//重新访问
配置文件
//podman的桥配置文件,容器里面的IP可通过这个控制
[root@localhost ~]# cat /etc/cni/net.d/87-podman.conflist
{
"cniVersion": "0.4.0",
"name": "podman",
"plugins": [
{
"type": "bridge",
"bridge": "cni-podman0",
"isGateway": true,
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"routes": [{ "dst": "0.0.0.0/0" }],
"ranges": [
[
{
"subnet": "10.88.0.0/16",
"gateway": "10.88.0.1"
}
]
]
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
},
{
"type": "firewall"
},
{
"type": "tuning"
}
]
}
podman 容器的开机自启
使用podman generate --help查看用法
[root@localhost ~]# podman generate --help
Generate structured data based on containers, pods or volumes
Description:
Generate structured data (e.g., Kubernetes YAML or systemd units) based on containers, pods or volumes.
Usage:
podman generate [command]
Available Commands:
kube Generate Kubernetes YAML from containers, pods or volumes.
systemd Generate systemd units.
使用podman generate systemd --help查看用法:
[root@localhost ~]# podman generate systemd --help
Generate systemd units.
Description:
Generate systemd units for a pod or container.
The generated units can later be controlled via systemctl(1).
Usage:
podman generate systemd [options] {CONTAINER|POD}
Examples:
podman generate systemd CTR
podman generate systemd --new --time 10 CTR
podman generate systemd --files --name POD
Options:
--container-prefix string Systemd unit name prefix for containers (default "container")
-f, --files Generate .service files instead of printing to stdout
--format string Print the created units in specified format (json)
-n, --name Use container/pod names instead of IDs
--new Create a new container or pod instead of starting an existing one
--no-header Skip header generation
--pod-prefix string Systemd unit name prefix for pods (default "pod")
--restart-policy string Systemd restart-policy (default "on-failure")
--separator string Systemd unit name separator between name/id and prefix (default "-")
-t, --time uint Stop timeout override (default 10)
root Podman容器服务自启动
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d85b69ff0956 docker.io/library/httpd:latest httpd-foreground 12 minutes ago Up 12 minutes ago 0.0.0.0:80->80/tcp web01
[root@localhost ~]# podman generate systemd --files --name web01
/root/container-web01.service
[root@localhost ~]# ls
anaconda-ks.cfg container-web01.service
[root@localhost ~]# mv ./container-web01.service /usr/lib/systemd/system/
[root@localhost system]# pwd
/usr/lib/systemd/system
[root@localhost system]# ls container-web01.service
container-web01.service
[root@localhost system]# systemctl status container-web01.service
Unit container-web01.service could not be found.(显示没有服务)
[root@localhost system]# podman run -d --name web docker.io/library/httpd:latest
23aab1e21ff5e7ed8a349a88a22d53953efdc8b9f3c7720b9f88e99bf8dc5202
[root@localhost system]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d85b69ff0956 docker.io/library/httpd:latest httpd-foreground 21 minutes ago Up 21 minutes ago 0.0.0.0:80->80/tcp web01
23aab1e21ff5 docker.io/library/httpd:latest httpd-foreground 3 minutes ago Up 3 minutes ago web
[root@localhost system]# podman generate systemd --files --name web
/usr/lib/systemd/system/container-web.service
#创建的容器名不要含有数字的特殊字符
[root@localhost system]# systemctl stop container-web(停止成功)
[root@localhost system]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d85b69ff0956 docker.io/library/httpd:latest httpd-foreground 22 minutes ago Up 22 minutes ago 0.0.0.0:80->80/tcp web01
23aab1e21ff5 docker.io/library/httpd:latest httpd-foreground 3 minutes ago Exited (0) 5 seconds ago web
[root@localhost ~]# systemctl status container-web
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.service; disabled; vendor preset: disabl>
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
12月 15 04:06:43 localhost.localdomain systemd[1]: Starting Podman container-web.service...
12月 15 04:06:43 localhost.localdomain systemd[1]: Started Podman container-web.service.
12月 15 04:06:56 localhost.localdomain systemd[1]: Stopping Podman container-web.service...
12月 15 04:06:57 localhost.localdomain podman[139284]: web
12月 15 04:06:57 localhost.localdomain podman[139493]: web
12月 15 04:06:57 localhost.localdomain systemd[1]: container-web.service: Succeeded.
12月 15 04:06:57 localhost.localdomain systemd[1]: Stopped Podman container-web.service.
非根用户容器开机自启
以普通用户执行systemd开机自启容器
务必注意:请使用普通用户以SSH形式远程登录系统,否则中途容器在生成服务的时候会出现BUG
//给普通用户设置密码
[root@localhost ~]# echo '1' | passwd --stdin jj
更改用户 jj 的密码 。
passwd:所有的身份验证令牌已经成功更新。
//ssh登录
[root@localhost ~]# ssh jj@192.168.47.131
The authenticity of host '192.168.47.131 (192.168.47.131)' can't be established.
ECDSA key fingerprint is SHA256:xO8Rw6Y2+7i7JHav8GQJEkzSO2U7PIvJIHSrtYzSE/o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.47.131' (ECDSA) to the list of known hosts.
jj@192.168.47.131's password:
Last login: Wed Dec 15 03:24:42 2021
[jj@localhost ~]$ podman login docker.io
Username: jiejiehao
Password:
Login Succeeded!
[jj@localhost ~]$ podman run -d --name httpd -p 8080:8080 docker.io/library/httpd
d9c513f7d5d8c59bbffe6a21cc46155962eea689dbda45bfbbd46fcc7f25eed5
[jj@localhost ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d9c513f7d5d8 docker.io/library/httpd:latest httpd-foreground 27 seconds ago Up 27 seconds ago 0.0.0.0:8080->8080/tcp httpd
//必须在用户家目录创建此目录,不能更改名字
[jj@localhost ~]$ mkdir -p ~/.config/systemd/user
[jj@localhost ~]$ cd ~/.config/systemd/user/
[jj@localhost user]$ ls
#此时目录为新创建,是空的
//注意当前所在路径,使用podman生成系统服务(依照当前容器自动生成)
[jj@localhost user]$ podman generate systemd --name httpd --files --new
/home/jj/.config/systemd/user/container-httpd.service
[jj@localhost user]$ ls
container-httpd.service
//关闭容器
[jj@localhost user]$ podman stop httpd
httpd
[jj@localhost user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
//加载一下系统服务
[jj@localhost user]$ systemctl --user daemon-reload
//立即启用服务
[jj@localhost user]$ systemctl --user enable container-httpd.service --now
Created symlink /home/jj/.config/systemd/user/multi-user.target.wants/container-httpd.service → /home/jj/.config/systemd/user/container-httpd.service.
Created symlink /home/jj/.config/systemd/user/default.target.wants/container-httpd.service → /home/jj/.config/systemd/user/container-httpd.service.
//查看服务的状态,已经处于运行状态
[jj@localhost user]$ systemctl --user status container-httpd.service
● container-httpd.service - Podman container-httpd.service
Loaded: loaded (/home/jj/.config/systemd/user/container-httpd.service; enabled; vendor preset:>
Active: active (running) since Wed 2021-12-15 04:16:49 CST; 1min 2s ago
Docs: man:podman-generate-systemd(1)
Process: 156584 ExecStartPre=/bin/rm -f /run/user/1000/container-httpd.service.ctr-id (code=exi>
Main PID: 156666 (conmon)
CGroup: /user.slice/user-1000.slice/user@1000.service/container-httpd.service
├─156646 /usr/bin/fuse-overlayfs -o ,lowerdir=/home/jj/.local/share/containers/storage>
├─156647 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --e>
├─156651 containers-rootlessport
├─156657 containers-rootlessport-child
├─156666 /usr/bin/conmon --api-version 1 -c 1bffe49cb00a11ee8d4a4ae8b21ae73f442c0e76c3>
├─156669 httpd -DFOREGROUND
├─156692 httpd -DFOREGROUND
├─156693 httpd -DFOREGROUND
└─156694 httpd -DFOREGROUND
//此时查看是否有容器在运行,本来我们已经手动关闭,但只要服务启动,就会自动创建新的容器,只要服务关闭,该容器就会自动删除,非常人性化
#而且此服务不需要root或sudo提权,普通用户即可对其进行控制,使用systemctl命令
[jj@localhost user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1bffe49cb00a docker.io/library/httpd:latest httpd-foreground About a minute ago Up About a minute ago 0.0.0.0:8080->8080/tcp httpd
//服务关闭,容器自动删除,而且还可以做到开机自动创建,关机自动删除
[jj@localhost user]$ systemctl --user stop container-httpd.service
[jj@localhost user]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[jj@localhost user]$ systemctl --user start container-httpd.service
[jj@localhost user]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6616be7602ed docker.io/library/httpd:latest httpd-foreground 4 seconds ago Up 4 seconds ago 0.0.0.0:8080->8080/tcp httpd
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
