podman基础用法和签名
podman常用
生成service文件
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
015504d3ae13 docker.io/library/httpd:latest httpd-foreground 3 minutes ago Up 3 minutes ago 0.0.0.0:80->80/tcp web
[root@localhost ~]#
这里有一个在运行的容器,利用这个容器创建;--name是指定用那个容器创建,--files是文件,--new是每次启动都创建新的。
[root@localhost ~]# podman generate systemd --name web --files --new
/root/container-web.service
[root@localhost ~]#
[root@localhost ~]# ls
anaconda-ks.cfg container-web.service
[root@localhost ~]# vim container-web.service
[Unit]
Description=Podman container-web.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/%n.ctr-id
ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --rm --sdnotify=conmon --replace -d --name web -p 80:80 httpd
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all
给创建的文件放到指定的目录下
[root@localhost ~]# cp container-web.service /usr/lib/systemd/system/
查看一下状态
[root@localhost ~]# systemctl status container-web.service
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.service; disabl>
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
把容器删掉了,但是就算没有容器只要有service文件那么还可以利用service文件生成一个一样的容器
[root@localhost ~]# podman rm -f web
015504d3ae138ad0a6ccec4aca0c98e3ce9ad106c1f265bf7aaed2a28a847119
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# systemctl status container-web.service
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.service; disabl>
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
给容器设置开机自启
[root@localhost ~]# systemctl enable container-web.service
Created symlink /etc/systemd/system/default.target.wants/container-web.service → /usr/lib/systemd/system/container-web.service.
[root@localhost ~]# systemctl enable --now container-web.service
[root@localhost ~]# systemctl status container-web.service
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.service; enable>
Active: active (running) since Mon 2022-08-15 06:10:33 EDT; 8s ago
Docs: man:podman-generate-systemd(1)
Process: 88163 ExecStartPre=/bin/rm -f /run/container-web.service.ctr->
Main PID: 88255 (conmon)
Tasks: 2 (limit: 23460)
Memory: 2.0M
CGroup: /system.slice/container-web.service
└─88255 /usr/bin/conmon --api-version 1 -c 2e716e3ad05538d806>
Aug 15 06:10:33 localhost.localdomain systemd[1]: Starting Podman contai>
Aug 15 06:10:33 localhost.localdomain systemd[1]: Started Podman contain>
Aug 15 06:10:33 localhost.localdomain podman[88165]: 2e716e3ad05538d8069>
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2e716e3ad055 docker.io/library/httpd:latest httpd-foreground 18 seconds ago Up 18 seconds ago 0.0.0.0:80->80/tcp web
[root@localhost ~]# systemctl stop container-web.service
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
测试重启一下容器是否还在
[root@localhost ~]# reboot
连接断开
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
90b554ca4f66 docker.io/library/httpd:latest httpd-foreground 40 seconds ago Up 40 seconds ago 0.0.0.0:80->80/tcp web
logs查看日志
[root@localhost ~]# podman logs web
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.2. Set the 'ServerName' directive globally to suppress this message
[Mon Aug 15 10:11:47.603765 2022] [mpm_event:notice] [pid 1:tid 140526358101312] AH00489: Apache/2.4.54 (Unix) configured -- resuming normal oper
...
[Mon Aug 15 10:11:47.609324 2022] [core:notice] [pid 1:tid 140526358101312] AH00094: Command line: 'httpd -D FOREGROUND'
192.168.171.1 - - [15/Aug/2022:10:19:33 +0000] "GET / HTTP/1.1" 200 45
192.168.171.1 - - [15/Aug/2022:10:19:33 +0000] "GET /favicon.ico HTTP/1.1" 404 196
[root@localhost ~]#
port查看端口号
[root@localhost ~]# podman port web
80/tcp -> 0.0.0.0:80
[root@localhost ~]#
rename改容器的名字
#这个改名字只是一次性的
[root@localhost ~]# podman rename web kangweb
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
90b554ca4f66 docker.io/library/httpd:latest httpd-foreground 10 minutes ago Up 10 minutes ago 0.0.0.0:80->80/tcp kangweb
[root@localhost ~]#
df查看容器挂载表
[root@localhost ~]# podman system df
TYPE TOTAL ACTIVE SIZE RECLAIMABLE
Images 1 1 149.4MB 0B (0%)
Containers 1 1 14B 0B (0%)
Local Volumes 0 0 0B 0B (0%)
[root@localhost ~]#
podman基本设置和使用
运行一个容器,给他做8080端口映射,环境变量
[root@localhost ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
> -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
> -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
> registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob 7692efc5f81c done
Copying blob aaf5ad2e1aa3 done
Copying blob d77ff9f653ce done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
4092d310f250446461e721662dbeeffd894773c7004fa48f6029c09ad1bed9f5
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
90b554ca4f66 docker.io/library/httpd:latest httpd-foreground 29 minutes ago Up 29 minutes ago 0.0.0.0:80->80/tcp kangweb
4092d310f250 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 12 seconds ago Up 12 seconds ago 0.0.0.0:8080->8080/tcp festive_cray
查看运行的容器
-l是指最新运行的容器
[root@localhost ~]# podman inspect -l |grep -i ipaddress
"IPAddress": "10.88.0.3",
"IPAddress": "10.88.0.3",
[root@localhost ~]# curl 10.88.0.3:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test Page for the Apache HTTP Server on Fedora</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
查看容器的 pid程
#这里面有很多的子进程。
[root@localhost ~]# podman top -l
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
default 1 0 0.000 6m18.182983987s pts/0 0s httpd -D FOREGROUND
default 23 1 0.000 6m17.183560409s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 24 1 0.000 6m17.183704089s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 25 1 0.000 6m17.183786824s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 26 1 0.000 6m17.183868727s pts/0
对容器执行检查点操作
对容器执行检查点操作会停止容器,同时将容器中所有进程的状态写入磁盘。这样,容器以后可以还原,并在与检查点完全相同的时间点继续运行。此功能要求在系统上安装 CRIU 3.11 或更高版本。不支持此功能作为无根;因此,如果您想尝试一下,则需要使用相同的命令以root身份重新创建容器。跟拍快照类似。
[root@localhost ~]# podman container checkpoint -l
4092d310f250446461e721662dbeeffd894773c7004fa48f6029c09ad1bed9f5
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
还原容器
还原容器仅适用于以前检查点的容器。还原的容器将继续在检查点操作的同一时间点运行。要恢复容器,
[root@localhost ~]# podman container restore -l
4092d310f250446461e721662dbeeffd894773c7004fa48f6029c09ad1bed9f5
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4092d310f250 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 11 minutes ago Up 11 minutes ago 0.0.0.0:8080->8080/tcp festive_cray
[root@localhost ~]#
对镜像签名并分发
#在本地机器上启动一个容器
[root@localhost ~]# podman run -d -p 5000:5000 docker.io/registry
Trying to pull docker.io/library/registry:latest...
Getting image source signatures
Copying blob e2ead8259a04 done
Copying blob 3790aef225b9 done
...
Storing signatures
340dafa70dc1c89c610673f7586ff90b334fd63e3499caef912dbd980ef25883
#这里可以看到5000的端口
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:5000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8080 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@localhost ~]#
注册表对映像签名一无所知,它只是为容器映像提供远程存储。这意味着,如果我们要对图像进行签名,则必须注意如何分发签名。
#让我们为签名实验选择一个标准映像:alpine
[root@localhost ~]# podman pull docker.io/alpine:latest
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 59bf1c3509f3 done
Copying config c059bfaa84 done
Writing manifest to image destination
Storing signatures
c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
[root@localhost ~]#
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest f2a976f932ec 13 days ago 149 MB
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
现在,我们可以重新标记映像以将其指向本地注册表:
[root@localhost ~]# podman tag alpine localhost:5000/apine
[root@localhost ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
localhost:5000/apine latest c059bfaa849c 8 months ago 5.87 MB
[root@localhost ~]#
Podman现在能够推送图像并在一个命令中签名。但是要让它工作,我们必须修改系统范围的注册表配置,网址为:/etc/containers/registries.d/default.yaml
[root@localhost ~]# cd /etc/containers/
[root@localhost containers]# ls
certs.d policy.json registries.conf.d storage.conf
oci registries.conf registries.d
[root@localhost containers]# cd registries.
-bash: cd: registries.: No such file or directory
[root@localhost containers]# cd registries.d/
[root@localhost registries.d]# ls
default.yaml registry.access.redhat.com.yaml registry.redhat.io.yaml
[root@localhost registries.d]# vim default.yaml
default-docker:
# sigstore: file:///var/lib/containers/sigstore
sigstore: http://localhost:8000 //#加这一行
sigstore-staging: file:///var/lib/containers/sigstore
推送时显示没有key
[root@localhost ~]# podman push --tls-verify=false --sign-by 3102907818@qq.com localhost:5000/apline
Getting image source signatures
Copying blob 8d3ac3489996 done
Copying config c059bfaa84 done
Writing manifest to image destination
Signing manifest
Error: creating signature: key "sgrunert@suse.com" not found
[root@localhost ~]#
我们必须创建一个GPG密钥对或选择一个本地可用的密钥对。要生成新的GPG密钥,只需运行并按照交互式对话框进行操作即可
[root@localhost ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: 3102907818@qq.com
Name may not start with a digit
Real name: nuanchun
Email address: 3102907818@qq.com
Comment: jjyy
You selected this USER-ID:
"nuanchun (jjyy) <3102907818@qq.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 59EF2D3481CF675F marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/3BB8A8D7C5BECFED212DFCCD59EF2D3481CF675F.rev'
public and secret key created and signed.
pub rsa2048 2022-08-15 [SC]
3BB8A8D7C5BECFED212DFCCD59EF2D3481CF675F
uid nuanchun (jjyy) <3102907818@qq.com>
sub rsa2048 2022-08-15 [E]
[root@localhost ~]#
─┐
│ Please enter the passphrase to unlock the OpenPGP secret key: │
│ "nuanchun (jjyy) <3102907818@qq.com>" │
│ 2048-bit RSA key, ID 59EF2D3481CF675F, │
│ created 2022-08-15. │
│ │
│ │
│ Passphrase: _ │
│ │
│ <OK> <Cancel> │
└─┘
[root@localhost registries.d]# podman push --tls-verify=false --sign-by 3102907818@qq.com localhost:5000/kang
Getting image source signatures
Copying blob 8d3ac3489996 done
Copying config c059bfaa84 done
Writing manifest to image destination
Signing manifest
Storing signatures
[root@localhost registries.d]#
这里面可以看到推送的信息
[root@localhost ~]# ls /var/lib/containers/sigstore
'kang@sha256=a65d71e7a88c3a63246ec299abb0dcec671579ac0af199d96e2a82339f061199'
[root@localhost sigstore]# yum -y install python38
[root@localhost sigstore]# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 5 0.0.0.0:8000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:5000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@localhost ~]#
当用python运行后需要写防火墙规则才能访问的到,需要防火墙放行。
[root@localhost ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=192.168.171.0/24 port port=8000 protocol=tcp accept' --permanent
success
[root@localhost ~]#
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]#
访问一下
访问成功后就有效果记录了。
[root@localhost sigstore]# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.171.1 - - [15/Aug/2022 10:32:13] "GET / HTTP/1.1" 200 -
192.168.171.1 - - [15/Aug/2022 10:32:13] code 404, message File not found
192.168.171.1 - - [15/Aug/2022 10:32:13] "GET /favicon.ico HTTP/1.1" 404 -
、
扫一扫
9415
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
