IT数码 购物 网址 头条 软件 日历 阅读 图书馆
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
图片批量下载器
↓批量下载图片,美女图库↓
图片自动播放器
↓图片自动播放器↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁
 
   -> 系统运维 -> podman网络、常用命令、以及容器的开机自启 -> 正文阅读

[系统运维]podman网络、常用命令、以及容器的开机自启

podman网络和podman容器的开机自启

podman网络

rootfull和rootless容器网络之间的差异

podman容器联网的指导因素之一将是容器是否由root用户运行。这是因为非特权用户无法在主机上创建网络接口。因此,对于rootfull容器,默认网络模式是使用容器网络接口(CNI)插件,特别是桥接插件。对于rootless,默认的网络模式是slir4netns。由于权限有限,slirnetns缺少CNI组网的一些功能;例如,slirp4netns无法为容器提供可路由的IP地址。cni是容器网络接口

防火墙

防火墙的作用不会影响网络的设置和配置,但会影响这些网络上的流量。最明显的是容器主机的入站网络流量,这些流量通常通过端口映射传递到容器上。根据防火墙的实现,我们观察到防火墙端口由于运行带有端口映射的容器(例如)而自动打开。如果容器流量似乎无法正常工作,请检查防火墙并允许容器正在使用的端口号上的流量。一个常见的问题是重新加载防火墙会删除cni iptables规则,从而导致rootful容器的网络连接丢失。podman v3提供了podman network reload命令来恢复它而无需重新启动容器。

基本网络设置
大多数使用 Podman 运行的容器和 Pod 都遵循几个简单的场景。默认情况下,rootfull Podman 将创建一个桥接网络。这是 Podman 最直接和首选的网络设置。桥接网络在内部桥接网络上为容器创建一个接口,然后通过网络地址转换(NAT)连接到互联网。我们还看到用户也希望macvlan 用于联网。这macvlan插件将整个网络接口从主机转发到容器中,允许它访问主机所连接的网络。最后,无根容器的默认网络配置是 slirp4netns。slirp4netns 网络模式功能有限,但可以在没有 root 权限的用户上运行。它创建了一个从主机到容器的隧道来转发流量。

容器间通信示例

//  启动一个test容器
[root@localhost ~]# podman run -it --name test docker.io/library/busybox:latest /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 9e:79:b4:02:bc:6e brd ff:ff:ff:ff:ff:ff
    inet 10.88.0.2/16 brd 10.88.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::9c79:b4ff:fe02:bc6e/64 scope link 
       valid_lft forever preferred_lft forever
//  启动一个test1容器
Last login: Wed Dec 15 18:17:33 2021 from 192.168.200.1
[root@localhost ~]# podman run -it --name test1 docker.io/library/busybox:latest /bin/sh
/ # ping 10.88.0.2
PING 10.88.0.2 (10.88.0.2): 56 data bytes
64 bytes from 10.88.0.2: seq=0 ttl=64 time=0.064 ms
64 bytes from 10.88.0.2: seq=1 ttl=64 time=0.072 ms
64 bytes from 10.88.0.2: seq=2 ttl=64 time=0.053 ms
64 bytes from 10.88.0.2: seq=3 ttl=64 time=0.055 ms
64 bytes from 10.88.0.2: seq=4 ttl=64 time=0.067 ms
^Z[1]+  Stopped                    ping 10.88.0.2
//每当启动一个容器就会在宿主机上启动一个veth类型的网卡
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:2d:c8:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.200.141/24 brd 192.168.200.255 scope global dynamic noprefixroute ens33
       valid_lft 1215sec preferred_lft 1215sec
    inet6 fe80::5027:eefc:8c9f:a575/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 5a:a0:b3:c5:a3:9c brd ff:ff:ff:ff:ff:ff
    inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
       valid_lft forever preferred_lft forever
    inet6 fe80::58a0:b3ff:fec5:a39c/64 scope link 
       valid_lft forever preferred_lft forever
4: vetha26b4f36@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default 
    link/ether 5e:79:96:43:e8:17 brd ff:ff:ff:ff:ff:ff link-netns cni-1960c697-8aa9-65b9-8127-82de4d41d869
    inet6 fe80::5c79:96ff:fe43:e817/64 scope link 
       valid_lft forever preferred_lft forever
5: vethb37df711@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default 
    link/ether 5a:4d:43:68:dc:ee brd ff:ff:ff:ff:ff:ff link-netns cni-02527c58-38d4-96cc-a5c8-eaa007fce05c
    inet6 fe80::584d:43ff:fe68:dcee/64 scope link 
       valid_lft forever preferred_lft forever



//  当容器停止运行就会关闭
[root@localhost ~]# podman ps
CONTAINER ID  IMAGE                             COMMAND     CREATED             STATUS                 PORTS       NAMES
836603d32987  docker.io/library/busybox:latest  /bin/sh     3 minutes ago       Up 3 minutes ago                   test
6dcdce15b6a1  docker.io/library/busybox:latest  /bin/sh     About a minute ago  Up About a minute ago              test1
[root@localhost ~]# podman stop test1 test
test1
test
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:2d:c8:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.200.141/24 brd 192.168.200.255 scope global dynamic noprefixroute ens33
       valid_lft 1132sec preferred_lft 1132sec
    inet6 fe80::5027:eefc:8c9f:a575/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: cni-podman0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 5a:a0:b3:c5:a3:9c brd ff:ff:ff:ff:ff:ff
    inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
       valid_lft forever preferred_lft forever
    inet6 fe80::58a0:b3ff:fec5:a39c/64 scope link 
       valid_lft forever preferred_lft forever

查看防火墙规则

[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
//运行一个容器进行测试,当运行一个容器之后就会自动给容器添加一个规则,并放行其端口号
[root@localhost ~]# podman run -d -p 80:80 --name web --rm docker.io/library/httpd
89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CNI-HOSTPORT-DNAT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CNI-HOSTPORT-MASQ  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* CNI portfwd requiring masquerade */
    0     0 CNI-d83ef39c9d5296ad8fdd9da6  all  --  *      *       10.88.0.4            0.0.0.0/0            /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CNI-HOSTPORT-DNAT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain CNI-d83ef39c9d5296ad8fdd9da6 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            10.88.0.0/16         /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0           !224.0.0.0/4          /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */

Chain CNI-HOSTPORT-SETMARK (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* CNI portfwd masquerade mark */ MARK or 0x2000

Chain CNI-HOSTPORT-MASQ (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2000/0x2000

Chain CNI-HOSTPORT-DNAT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CNI-DN-d83ef39c9d5296ad8fdd9  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */ multiport dports 80

Chain CNI-DN-d83ef39c9d5296ad8fdd9 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       10.88.0.0/16         0.0.0.0/0            tcp dpt:80
    0     0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.88.0.4:80

[root@localhost ~]# podman inspect -l | grep -i address
            "IPAddress": "10.88.0.4",
            "GlobalIPv6Address": "",
            "MacAddress": "be:3b:3f:d7:87:94",
            "LinkLocalIPv6Address": "",
                    "IPAddress": "10.88.0.4",
                    "GlobalIPv6Address": "",
                    "MacAddress": "be:3b:3f:d7:87:94",


// 访问测试
[root@localhost ~]# curl 10.88.0.4
<html><body><h1>It works!</h1></body></html>
//使用重启容器恢复防火墙规则
[root@localhost ~]# iptables -t nat -F  //清空防火墙规则
[root@localhost ~]# iptables -t nat -nvL   //已经没有80端口
[root@localhost ~]# iptables -t nat -F 
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CNI-d83ef39c9d5296ad8fdd9da6 (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain CNI-HOSTPORT-SETMARK (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain CNI-HOSTPORT-MASQ (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain CNI-HOSTPORT-DNAT (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain CNI-DN-d83ef39c9d5296ad8fdd9 (0 references)
 pkts bytes target     prot opt in     out     source               destination
// 重启容器
[root@localhost ~]# podman restart -l
89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CNI-HOSTPORT-DNAT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   152 CNI-HOSTPORT-MASQ  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* CNI portfwd requiring masquerade */
    0     0 CNI-d83ef39c9d5296ad8fdd9da6  all  --  *      *       10.88.0.5            0.0.0.0/0            /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CNI-HOSTPORT-DNAT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain CNI-HOSTPORT-SETMARK (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* CNI portfwd masquerade mark */ MARK or 0x2000

Chain CNI-HOSTPORT-MASQ (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2000/0x2000

Chain CNI-HOSTPORT-DNAT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CNI-DN-d83ef39c9d5296ad8fdd9  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */ multiport dports 80

Chain CNI-d83ef39c9d5296ad8fdd9da6 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            10.88.0.0/16         /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0           !224.0.0.0/4          /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */

Chain CNI-DN-d83ef39c9d5296ad8fdd9 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       10.88.0.0/16         0.0.0.0/0            tcp dpt:80
    0     0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpt:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.88.0.5:80

在这里插入图片描述

podman网络设置

指定网络并运行一个容器

创建podman2网络

[root@localhost ~]# podman network create  podman2
/etc/cni/net.d/podman2.conflist
[root@localhost ~]# 

–subnet指定subnet创建网络

podman network create --sunet 网段 创建的网络名

[root@localhost ~]# podman network create --subnet  192.6.0.0/16 newnet
/etc/cni/net.d/newnet.conflist

–gateway 指定网关

podman network create --subnet 网段 --gateway 网关地址 newnet1

[root@localhost ~]# podman network create --subnet 192.168.13.0/24  --gateway 192.168.13.2 newnet1
/etc/cni/net.d/newnet1.conflist

–ip-range 指定ip起始地址

[root@localhost ~]# podman network create --subnet 192.168.14.0/24 --ip-range 192.168.14.13/25 newnet2
/etc/cni/net.d/newnet2.conflist
[root@localhost ~]# 

查看刚刚创建的网络

[root@localhost ~]# podman network ls 
NETWORK ID    NAME        VERSION     PLUGINS
2f259bab93aa  podman      0.4.0       bridge,portmap,firewall,tuning
884e74728f04  newnet      0.4.0       bridge,portmap,firewall,tuning
45b3499a170b  newnet1     0.4.0       bridge,portmap,firewall,tuning
31213d4efd11  newnet2     0.4.0       bridge,portmap,firewall,tuning
4d24ca3baa36  podman2     0.4.0       bridge,portmap,firewall,tuning

使用刚刚创建的网络,并运行一个容器

格式: podman run --name 容器名 --network 网络名称 镜像名

[root@localhost ~]# podman run -dt --name nginx2 --network podman2  nginx:latest
b926e6a2a1b16b8275fa59813d30139c03ab6678933219fd551acc7105e8c742

查看改容器的网络IP

[root@localhost ~]# podman inspect nginx | grep IP
            "IPAddress": "10.88.0.3",
            "IPPrefixLen": 16,
            "IPv6Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
                    "IPAddress": "10.88.0.3",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "IPAMConfig": null,

podman网络管理

注意:启动一个容器后,会出现cni-poman0网卡,容器启动时,默认会连接podman网络

[root@localhost ~]# ip a show cni-podman0
3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ae:fa:0b:90:77:8e brd ff:ff:ff:ff:ff:ff
    inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
       valid_lft forever preferred_lft forever
    inet6 fe80::acfa:bff:fe90:778e/64 scope link 
       valid_lft forever preferred_lft forever

查看容器网路

[root@localhost ~]# podman network ls
NETWORK ID    NAME        VERSION     PLUGINS
2f259bab93aa  podman      0.4.0       bridge,portmap,firewall,tuning
884e74728f04  newnet      0.4.0       bridge,portmap,firewall,tuning
45b3499a170b  newnet1     0.4.0       bridge,portmap,firewall,tuning
31213d4efd11  newnet2     0.4.0       bridge,portmap,firewall,tuning
4d24ca3baa36  podman2     0.4.0       bridge,portmap,firewall,tuning

断开网络(disconnect)

[root@localhost ~]# podman network disconnect podman2 nginx2

重启容器网络(reload)

[root@localhost ~]# podman network reload nginx2
b926e6a2a1b16b8275fa59813d30139c03ab6678933219fd551acc7105e8c742

删除podman网络(rm)

[root@localhost ~]# podman network ls 
NETWORK ID    NAME        VERSION     PLUGINS
2f259bab93aa  podman      0.4.0       bridge,portmap,firewall,tuning
884e74728f04  newnet      0.4.0       bridge,portmap,firewall,tuning
45b3499a170b  newnet1     0.4.0       bridge,portmap,firewall,tuning
31213d4efd11  newnet2     0.4.0       bridge,portmap,firewall,tuning
4d24ca3baa36  podman2     0.4.0       bridge,portmap,firewall,tuning
[root@localhost ~]# podman network rm newnet1 newnet2
newnet1
newnet2
[root@localhost ~]# podman network ls 
NETWORK ID    NAME        VERSION     PLUGINS
2f259bab93aa  podman      0.4.0       bridge,portmap,firewall,tuning
884e74728f04  newnet      0.4.0       bridge,portmap,firewall,tuning
4d24ca3baa36  podman2     0.4.0       bridge,portmap,firewall,tuning

podman常用命令

要更多的命令请点击这里

podman search 查找镜像

[root@podman ~]# podman search httpd --filter=is-official //指定查找官方版本的httpd
INDEX       NAME                     DESCRIPTION                     STARS       OFFICIAL    AUTOMATED
docker.io   docker.io/library/httpd  The Apache HTTP Server Project  3794        [OK] 

podman pull 拉取镜像

[root@localhost ~]# podman images
REPOSITORY                 TAG         IMAGE ID      CREATED       SIZE

[root@localhost ~]# podman pull docker.io/library/nginx 
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob e5ae68f74026 skipped: already exists  
Copying blob 21e0df283cd6 done  
Copying blob 77700c52c969 done  
Copying blob ed835de16acd done  
Copying blob 44be98c0fab6 done  
Copying blob 881ff011f1c9 done  
Copying config f652ca386e done  
Writing manifest to image destination
Storing signatures
f652ca386ed135a4cbe356333e08ef0816f81b2ac8d0619af01e2b256837ed3e

podman images 显示所有镜像

[root@localhost ~]# podman images
REPOSITORY                 TAG         IMAGE ID      CREATED       SIZE
docker.io/library/nginx    latest      f652ca386ed1  13 days ago   146 MB

podman run 运行容器

[root@localhost ~]# podman run -itd --name web01 nginx:latest
6e1d7872c5ec26863d513624d20c1adb64f85eb970fe1c5da1ebeda941eae487

podman ps 列出正在运行的容器

[root@localhost ~]# podman ps
CONTAINER ID  IMAGE                           COMMAND               CREATED         STATUS             PORTS       NAMES
6e1d7872c5ec  docker.io/library/nginx:latest  nginx -g daemon o...  51 seconds ago  Up 51 seconds ago              web01

// 如果添加 -a 命令,Podman 将显示所有容器(已创建、已退出、正在运行等)
[root@localhost ~]# podman ps -a     
CONTAINER ID  IMAGE                           COMMAND               CREATED         STATUS                     PORTS       NAMES
6e1d7872c5ec  docker.io/library/nginx:latest  nginx -g daemon o...  54 seconds ago  Up 53 seconds ago                      web01
9cffea5123c7  docker.io/library/nginx:latest  nginx -g daemon o...  23 seconds ago  Exited (0) 10 seconds ago              web02

podman inspect 查看容器详细信息

[root@localhost ~]# podman inspect web01
[
    {
        "Id": "6e1d7872c5ec26863d513624d20c1adb64f85eb970fe1c5da1ebeda941eae487",
        "Created": "2021-12-15T18:48:21.76933645+08:00",
        "Path": "/docker-entrypoint.sh",
        "Args": [
            "nginx",
            "-g",
            "daemon off;"
        ],
        "State": {
            "OciVersion": "1.0.2-dev",
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 12767,
            "ConmonPid": 12756,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2021-12-15T18:48:22.484198349+08:00",
            "FinishedAt": "0001-01-01T00:00:00Z",
            "Healthcheck": {
                "Status": "",
                "FailingStreak": 0,
                "Log": null
            }
        },


// -l 查看最新信息
[root@localhost ~]# podman inspect -l | grep -i ipaddress
            "IPAddress": "10.88.0.2",
                    "IPAddress": "10.88.0.2",

podman logs 查看容器日志

// -l 查看最新容器日志
[root@localhost ~]# podman logs -l
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/12/15 10:48:53 [notice] 1#1: using the "epoll" event method
2021/12/15 10:48:53 [notice] 1#1: nginx/1.21.4
2021/12/15 10:48:53 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6) 
2021/12/15 10:48:53 [notice] 1#1: OS: Linux 4.18.0-147.el8.x86_64
2021/12/15 10:48:53 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/12/15 10:48:53 [notice] 1#1: start worker processes
2021/12/15 10:48:53 [notice] 1#1: start worker process 30
2021/12/15 10:48:53 [notice] 1#1: start worker process 31
2021/12/15 10:49:05 [notice] 1#1: signal 3 (SIGQUIT) received, shutting down
2021/12/15 10:49:05 [notice] 31#31: gracefully shutting down
2021/12/15 10:49:05 [notice] 30#30: gracefully shutting down
2021/12/15 10:49:05 [notice] 31#31: exiting
2021/12/15 10:49:05 [notice] 30#30: exiting
2021/12/15 10:49:05 [notice] 31#31: exit
2021/12/15 10:49:05 [notice] 30#30: exit
2021/12/15 10:49:05 [notice] 1#1: signal 17 (SIGCHLD) received from 30
2021/12/15 10:49:05 [notice] 1#1: worker process 30 exited with code 0
2021/12/15 10:49:05 [notice] 1#1: worker process 31 exited with code 0
2021/12/15 10:49:05 [notice] 1#1: exit

podman top 查看容器的 pids

[root@localhost ~]# podman top web01
USER        PID         PPID        %CPU        ELAPSED         TTY         TIME        COMMAND
root        1           0           0.000       5m1.739557202s  pts/0       0s          nginx: master process nginx -g daemon off; 
nginx       30          1           0.000       5m1.739814247s  pts/0       0s          nginx: worker process 
nginx       31          1           0.000       5m1.739913641s  pts/0       0s          nginx: worker process

// -l 查看最新容器
[root@localhost ~]# podman top -l
USER        PID         PPID        %CPU        ELAPSED        TTY         TIME        COMMAND
root        1           0           0.000       11.295056103s  pts/0       0s          nginx: master process nginx -g daemon off; 
nginx       23          1           0.000       10.29518149s   pts/0       0s          nginx: worker process 
nginx       24          1           0.000       10.295250142s  pts/0       0s          nginx: worker process 

podman stop 停止容器

[root@localhost ~]# podman ps
CONTAINER ID  IMAGE                           COMMAND               CREATED        STATUS            PORTS       NAMES
6e1d7872c5ec  docker.io/library/nginx:latest  nginx -g daemon o...  7 minutes ago  Up 7 minutes ago              web01
9cffea5123c7  docker.io/library/nginx:latest  nginx -g daemon o...  7 minutes ago  Up 4 seconds ago              web02
[root@localhost ~]# podman stop web02
web02
[root@localhost ~]# podman ps
CONTAINER ID  IMAGE                           COMMAND               CREATED        STATUS            PORTS       NAMES
6e1d7872c5ec  docker.io/library/nginx:latest  nginx -g daemon o...  8 minutes ago  Up 8 minutes ago              web01

podman start 启动容器

[root@localhost ~]# podman ps
CONTAINER ID  IMAGE                           COMMAND               CREATED        STATUS            PORTS       NAMES
6e1d7872c5ec  docker.io/library/nginx:latest  nginx -g daemon o...  9 minutes ago  Up 9 minutes ago              web01
[root@localhost ~]# podman start web02
web02
[root@localhost ~]# podman ps
CONTAINER ID  IMAGE                           COMMAND               CREATED        STATUS            PORTS       NAMES
6e1d7872c5ec  docker.io/library/nginx:latest  nginx -g daemon o...  9 minutes ago  Up 9 minutes ago              web01
9cffea5123c7  docker.io/library/nginx:latest  nginx -g daemon o...  8 minutes ago  Up 3 seconds ago              web02

podman rm 删除容器

//-f 强制删除
[root@localhost ~]# podman rm -f web02
9cffea5123c7c977747cf770c1abe11fe302cd1fd5f8d250da5196e5ba3e7656
[root@localhost ~]# podman ps
CONTAINER ID  IMAGE                           COMMAND               CREATED         STATUS             PORTS       NAMES
6e1d7872c5ec  docker.io/library/nginx:latest  nginx -g daemon o...  10 minutes ago  Up 10 minutes ago              web01

podman rmi 删除镜像

[root@localhost ~]# podman images
REPOSITORY                 TAG         IMAGE ID      CREATED       SIZE
docker.io/library/httpd    latest      8362f2615893  11 hours ago  148 MB
docker.io/library/busybox  latest      ffe9d497c324  7 days ago    1.46 MB
docker.io/library/nginx    latest      f652ca386ed1  13 days ago   146 MB

//-f 强制删除
[root@localhost ~]# podman rmi -f ffe9d497c324
Untagged: docker.io/library/busybox:latest
Deleted: ffe9d497c32414b1c5cdad8178a85602ee72453082da2463f1dede592ac7d5af
[root@localhost ~]# podman images
REPOSITORY               TAG         IMAGE ID      CREATED       SIZE
docker.io/library/httpd  latest      8362f2615893  11 hours ago  148 MB
docker.io/library/nginx  latest      f652ca386ed1  13 days ago   146 MB

pdoman容器的开机自启

使用podman generate --help查看用法
[root@podman ~]# podman generate --help
Generate structured data based on containers, pods or volumes

Description:
  Generate structured data (e.g., Kubernetes YAML or systemd units) based on containers, pods or volumes.

Usage:
  podman generate [command]

Available Commands:
  kube        Generate Kubernetes YAML from containers, pods or volumes.
  systemd     Generate systemd units.

使用podman generate systemd --help查看用法:
[root@podman ~]# podman generate systemd --help
Generate systemd units.

Description:
  Generate systemd units for a pod or container.
  The generated units can later be controlled via systemctl(1).

Usage:
  podman generate systemd [options] {CONTAINER|POD}

Examples:
  podman generate systemd CTR
  podman generate systemd --new --time 10 CTR
  podman generate systemd --files --name POD

Options:
      --container-prefix string   Systemd unit name prefix for containers (default "container")
  -f, --files                     Generate .service files instead of printing to stdout
      --format string             Print the created units in specified format (json)
  -n, --name                      Use container/pod names instead of IDs
      --new                       Create a new container or pod instead of starting an existing one
      --no-header                 Skip header generation
      --pod-prefix string         Systemd unit name prefix for pods (default "pod")
      --restart-policy string     Systemd restart-policy (default "on-failure")
      --separator string          Systemd unit name separator between name/id and prefix (default "-")
  -t, --time uint                 Stop timeout override (default 10)

root Podman容器服务自启动

[root@localhost ~]# podman run -tid --name web nginx
969d855df0326b8ea1efacd90e5ab2860763d950668e038fe2b410e897e25bf9
[root@localhost ~]# podman ps -a
CONTAINER ID  IMAGE                           COMMAND               CREATED        STATUS            PORTS       NAMES
969d855df032  docker.io/library/nginx:latest  nginx -g daemon o...  6 seconds ago  Up 5 seconds ago              web
[root@localhost ~]# podman generate systemd --files --name web
/root/container-web.service
[root@localhost ~]# mv container-web.service /usr/lib/systemd/system/
[root@localhost ~]# systemctl status container-web
● container-web.service - Podman container-web.service
   Loaded: loaded (/usr/lib/systemd/system/container-web.ser>
   Active: inactive (dead)
     Docs: man:podman-generate-systemd(1)

[root@localhost ~]# systemctl enable --now container-web
Created symlink /etc/systemd/system/multi-user.target.wants/container-web.service → /usr/lib/systemd/system/container-web.service.
Created symlink /etc/systemd/system/default.target.wants/container-web.service → /usr/lib/systemd/system/container-web.service.
[root@localhost ~]# systemctl status container-web
● container-web.service - Podman container-web.service
   Loaded: loaded (/usr/lib/systemd/system/container-web.ser>
   Active: active (running) since Wed 2021-12-15 19:03:27 CS>
     Docs: man:podman-generate-systemd(1)
  Process: 14702 ExecStart=/usr/bin/podman start web (code=e>
 Main PID: 14575 (conmon)
    Tasks: 0 (limit: 11338)
   Memory: 1.0M
   CGroup: /system.slice/container-web.service
           ? 14575 /usr/bin/conmon --api-version 1 -c 969d85>

1215 19:03:27 localhost.localdomain systemd[1]: Starting >
1215 19:03:27 localhost.localdomain systemd[1]: Started P>
lines 1-13/13 (END)
● container-web.service - Podman container-web.service
   Loaded: loaded (/usr/lib/systemd/system/container-web.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-12-15 19:03:27 CST; 6s ago
     Docs: man:podman-generate-systemd(1)
  Process: 14702 ExecStart=/usr/bin/podman start web (code=exited, status=0/SUCCESS)
 Main PID: 14575 (conmon)
    Tasks: 0 (limit: 11338)
   Memory: 1.0M
   CGroup: /system.slice/container-web.service
           ? 14575 /usr/bin/conmon --api-version 1 -c 969d855df0326b8ea1efacd90e5ab2860763d950668e038fe2b410e897e25bf9 -u 96>

1215 19:03:27 localhost.localdomain systemd[1]: Starting Podman container-web.service...
1215 19:03:27 localhost.localdomain systemd[1]: Started Podman container-web.service.

普通用户设置容器开机自启

在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置

cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,必须切换到备用OCI运行时crun

[root@localhost ~]# yum  -y install crun

[root@localhost ~]# vim /usr/share/containers/containers.conf

runtime = "crun"      取消#
#runtime = "runc"     注释掉

配置storage.conf文件
[root@localhost ~]# vim /etc/containers/storage.conf

mount_program = "/usr/bin/fuse-overlayfs"	#取消注释

// 创建用户
[root@localhost ~]# useradd syb
[root@localhost ~]# echo "123456" |passwd --stdin syb
更改用户 syb 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@localhost ~]# ssh syb@192.168.200.141
The authenticity of host '192.168.200.141 (192.168.200.141)' can't be established.
ECDSA key fingerprint is SHA256:3aBCquRdG1LVT8X2pT/0DPh77RRE1pj0F8z33PZa1xg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.200.141' (ECDSA) to the list of known hosts.
syb@192.168.200.141's password: 

#必须在家目录下创建此目录。不能跟改名字
[syb@localhost ~]$ mkdir -p ~/.config/systemd/user
[syb@localhost ~]$ cd ~/.config/systemd/user

#创建容器
[syb@localhost user]$ podman run -d --name test nginx
[syb@localhost user]$ podman generate systemd --name test --files --new

#停止容器
[syb@localhost user]$ podman stop test
test
[syb@localhost user]$ podman ps
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

#如果不是ssh登陆或重新进入linux系统的需重新加载系统服务
[syb@localhost user]$ systemctl --user daemon-reload
[syb@localhost user]$ systemctl --user enable --now container-test.service 
Created symlink /home/nea/.config/systemd/user/multi-user.target.wants/container-test.service → /home/nea/.config/systemd/user/container-test.service.
Created symlink /home/nea/.config/systemd/user/default.target.wants/container-test.service → /home/nea/.config/systemd/user/container-test.service.
[syb@localhost user]$ podman ps
CONTAINER ID  IMAGE                           COMMAND               CREATED        STATUS            PORTS       NAMES
2c79cfc6f4f7  docker.io/library/nginx:latest  nginx -g daemon o...  6 seconds ago  Up 6 seconds ago              test

[syb@localhost user]$ systemctl --user status container-test.service 
● container-test.service - Podman container-test.service
   Loaded: loaded (/home/syb/.config/systemd/user/container-test.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2021-12-15 01:44:49 EST; 9min ago
     Docs: man:podman-generate-systemd(1)
  Process: 19217 ExecStartPre=/bin/rm -f /run/user/1001/container-test.service.ctr-id (code=exited, status=0/SUCCESS)
 Main PID: 19257 (conmon)
   CGroup: /user.slice/user-1001.slice/user@1001.service/container-test.service
           ├─19251 /usr/bin/fuse-overlayfs -o ,lowerdir=/home/nea/.local/share/containers/storage/overlay/l/5S2WLHYYVZAJ3G7TOACCLLOJ52:/home/nea/.local/share/>
           ├─19253 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1001/ne>
           ├─19257 /usr/bin/conmon --api-version 1 -c 2c79cfc6f4f71f1c4bbb69240883347d9da098ae26147c463d904fe61f75cf8b -u 2c79cfc6f4f71f1c4bbb69240883347d9da0>
           ├─19260 nginx: master process nginx -g daemon off;
           ├─19286 nginx: worker process
           └─19287 nginx: worker process
lines 1-13/13 (END)

  系统运维 最新文章
配置小型公司网络WLAN基本业务(AC通过三层
如何在交付运维过程中建立风险底线意识,提
快速传输大文件,怎么通过网络传大文件给对
从游戏服务端角度分析移动同步(状态同步)
MySQL使用MyCat实现分库分表
如何用DWDM射频光纤技术实现200公里外的站点
国内顺畅下载k8s.gcr.io的镜像
自动化测试appium
ctfshow ssrf
Linux操作系统学习之实用指令(Centos7/8均
上一篇文章      下一篇文章      查看所有文章
加:2021-12-16 18:06:51  更:2021-12-16 18:07:55 
 
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁

360图书馆 购物 三丰科技 阅读网 日历 万年历 2024年11日历 -2024/11/16 5:45:26-

图片自动播放器
↓图片自动播放器↓
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
图片批量下载器
↓批量下载图片,美女图库↓
  网站联系: qq:121756557 email:121756557@qq.com  IT数码