podman网络和podman容器的开机自启
podman网络
rootfull和rootless容器网络之间的差异
podman容器联网的指导因素之一将是容器是否由root用户运行。这是因为非特权用户无法在主机上创建网络接口。因此,对于rootfull容器,默认网络模式是使用容器网络接口(CNI)插件,特别是桥接插件。对于rootless,默认的网络模式是slir4netns。由于权限有限,slirnetns缺少CNI组网的一些功能;例如,slirp4netns无法为容器提供可路由的IP地址。cni是容器网络接口
防火墙
防火墙的作用不会影响网络的设置和配置,但会影响这些网络上的流量。最明显的是容器主机的入站网络流量,这些流量通常通过端口映射传递到容器上。根据防火墙的实现,我们观察到防火墙端口由于运行带有端口映射的容器(例如)而自动打开。如果容器流量似乎无法正常工作,请检查防火墙并允许容器正在使用的端口号上的流量。一个常见的问题是重新加载防火墙会删除cni iptables规则,从而导致rootful容器的网络连接丢失。podman v3提供了podman network reload命令来恢复它而无需重新启动容器。
基本网络设置 大多数使用 Podman 运行的容器和 Pod 都遵循几个简单的场景。默认情况下,rootfull Podman 将创建一个桥接网络。这是 Podman 最直接和首选的网络设置。桥接网络在内部桥接网络上为容器创建一个接口,然后通过网络地址转换(NAT)连接到互联网。我们还看到用户也希望macvlan 用于联网。这macvlan插件将整个网络接口从主机转发到容器中,允许它访问主机所连接的网络。最后,无根容器的默认网络配置是 slirp4netns。slirp4netns 网络模式功能有限,但可以在没有 root 权限的用户上运行。它创建了一个从主机到容器的隧道来转发流量。
容器间通信示例
// 启动一个test容器
[root@localhost ~]
/
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 9e:79:b4:02:bc:6e brd ff:ff:ff:ff:ff:ff
inet 10.88.0.2/16 brd 10.88.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::9c79:b4ff:fe02:bc6e/64 scope link
valid_lft forever preferred_lft forever
// 启动一个test1容器
Last login: Wed Dec 15 18:17:33 2021 from 192.168.200.1
[root@localhost ~]
/
PING 10.88.0.2 (10.88.0.2): 56 data bytes
64 bytes from 10.88.0.2: seq=0 ttl=64 time=0.064 ms
64 bytes from 10.88.0.2: seq=1 ttl=64 time=0.072 ms
64 bytes from 10.88.0.2: seq=2 ttl=64 time=0.053 ms
64 bytes from 10.88.0.2: seq=3 ttl=64 time=0.055 ms
64 bytes from 10.88.0.2: seq=4 ttl=64 time=0.067 ms
^Z[1]+ Stopped ping 10.88.0.2
//每当启动一个容器就会在宿主机上启动一个veth类型的网卡
[root@localhost ~]
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:2d:c8:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.200.141/24 brd 192.168.200.255 scope global dynamic noprefixroute ens33
valid_lft 1215sec preferred_lft 1215sec
inet6 fe80::5027:eefc:8c9f:a575/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 5a:a0:b3:c5:a3:9c brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::58a0:b3ff:fec5:a39c/64 scope link
valid_lft forever preferred_lft forever
4: vetha26b4f36@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether 5e:79:96:43:e8:17 brd ff:ff:ff:ff:ff:ff link-netns cni-1960c697-8aa9-65b9-8127-82de4d41d869
inet6 fe80::5c79:96ff:fe43:e817/64 scope link
valid_lft forever preferred_lft forever
5: vethb37df711@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether 5a:4d:43:68:dc:ee brd ff:ff:ff:ff:ff:ff link-netns cni-02527c58-38d4-96cc-a5c8-eaa007fce05c
inet6 fe80::584d:43ff:fe68:dcee/64 scope link
valid_lft forever preferred_lft forever
// 当容器停止运行就会关闭
[root@localhost ~]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
836603d32987 docker.io/library/busybox:latest /bin/sh 3 minutes ago Up 3 minutes ago test
6dcdce15b6a1 docker.io/library/busybox:latest /bin/sh About a minute ago Up About a minute ago test1
[root@localhost ~]
test1
test
[root@localhost ~]
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:2d:c8:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.200.141/24 brd 192.168.200.255 scope global dynamic noprefixroute ens33
valid_lft 1132sec preferred_lft 1132sec
inet6 fe80::5027:eefc:8c9f:a575/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 5a:a0:b3:c5:a3:9c brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::58a0:b3ff:fec5:a39c/64 scope link
valid_lft forever preferred_lft forever
查看防火墙规则
[root@localhost ~]
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
//运行一个容器进行测试,当运行一个容器之后就会自动给容器添加一个规则,并放行其端口号
[root@localhost ~]
89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052
[root@localhost ~]
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd requiring masquerade */
0 0 CNI-d83ef39c9d5296ad8fdd9da6 all -- * * 10.88.0.4 0.0.0.0/0 /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain CNI-d83ef39c9d5296ad8fdd9da6 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 10.88.0.0/16 /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */
0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */
Chain CNI-HOSTPORT-SETMARK (2 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd masquerade mark */ MARK or 0x2000
Chain CNI-HOSTPORT-MASQ (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000/0x2000
Chain CNI-HOSTPORT-DNAT (2 references)
pkts bytes target prot opt in out source destination
0 0 CNI-DN-d83ef39c9d5296ad8fdd9 tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */ multiport dports 80
Chain CNI-DN-d83ef39c9d5296ad8fdd9 (1 references)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.88.0.0/16 0.0.0.0/0 tcp dpt:80
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.88.0.4:80
[root@localhost ~]
"IPAddress": "10.88.0.4",
"GlobalIPv6Address": "",
"MacAddress": "be:3b:3f:d7:87:94",
"LinkLocalIPv6Address": "",
"IPAddress": "10.88.0.4",
"GlobalIPv6Address": "",
"MacAddress": "be:3b:3f:d7:87:94",
// 访问测试
[root@localhost ~]
<html><body><h1>It works!</h1></body></html>
//使用重启容器恢复防火墙规则
[root@localhost ~]
[root@localhost ~]
[root@localhost ~]
[root@localhost ~]
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain CNI-d83ef39c9d5296ad8fdd9da6 (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-SETMARK (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-MASQ (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-DNAT (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-DN-d83ef39c9d5296ad8fdd9 (0 references)
pkts bytes target prot opt in out source destination
// 重启容器
[root@localhost ~]
89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052
[root@localhost ~]
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 152 CNI-HOSTPORT-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd requiring masquerade */
0 0 CNI-d83ef39c9d5296ad8fdd9da6 all -- * * 10.88.0.5 0.0.0.0/0 /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain CNI-HOSTPORT-SETMARK (2 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd masquerade mark */ MARK or 0x2000
Chain CNI-HOSTPORT-MASQ (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000/0x2000
Chain CNI-HOSTPORT-DNAT (2 references)
pkts bytes target prot opt in out source destination
0 0 CNI-DN-d83ef39c9d5296ad8fdd9 tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */ multiport dports 80
Chain CNI-d83ef39c9d5296ad8fdd9da6 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 10.88.0.0/16 /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */
0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "podman" id: "89b94f1bd0815ff5b4b0f6b49b547d5d4581700ab4c4dcfbd6bd1a55d044f052" */
Chain CNI-DN-d83ef39c9d5296ad8fdd9 (1 references)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.88.0.0/16 0.0.0.0/0 tcp dpt:80
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.88.0.5:80
podman网络设置
指定网络并运行一个容器
创建podman2网络
[root@localhost ~]
/etc/cni/net.d/podman2.conflist
[root@localhost ~]
–subnet指定subnet创建网络
podman network create --sunet 网段 创建的网络名
[root@localhost ~]
/etc/cni/net.d/newnet.conflist
–gateway 指定网关
podman network create --subnet 网段 --gateway 网关地址 newnet1
[root@localhost ~]
/etc/cni/net.d/newnet1.conflist
–ip-range 指定ip起始地址
[root@localhost ~]
/etc/cni/net.d/newnet2.conflist
[root@localhost ~]
查看刚刚创建的网络
[root@localhost ~]
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
884e74728f04 newnet 0.4.0 bridge,portmap,firewall,tuning
45b3499a170b newnet1 0.4.0 bridge,portmap,firewall,tuning
31213d4efd11 newnet2 0.4.0 bridge,portmap,firewall,tuning
4d24ca3baa36 podman2 0.4.0 bridge,portmap,firewall,tuning
使用刚刚创建的网络,并运行一个容器
格式: podman run --name 容器名 --network 网络名称 镜像名
[root@localhost ~]
b926e6a2a1b16b8275fa59813d30139c03ab6678933219fd551acc7105e8c742
查看改容器的网络IP
[root@localhost ~]
"IPAddress": "10.88.0.3",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"IPAddress": "10.88.0.3",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAMConfig": null,
podman网络管理
注意:启动一个容器后,会出现cni-poman0网卡,容器启动时,默认会连接podman网络
[root@localhost ~]
3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ae:fa:0b:90:77:8e brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::acfa:bff:fe90:778e/64 scope link
valid_lft forever preferred_lft forever
查看容器网路
[root@localhost ~]
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
884e74728f04 newnet 0.4.0 bridge,portmap,firewall,tuning
45b3499a170b newnet1 0.4.0 bridge,portmap,firewall,tuning
31213d4efd11 newnet2 0.4.0 bridge,portmap,firewall,tuning
4d24ca3baa36 podman2 0.4.0 bridge,portmap,firewall,tuning
断开网络(disconnect)
[root@localhost ~]
重启容器网络(reload)
[root@localhost ~]
b926e6a2a1b16b8275fa59813d30139c03ab6678933219fd551acc7105e8c742
删除podman网络(rm)
[root@localhost ~]
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
884e74728f04 newnet 0.4.0 bridge,portmap,firewall,tuning
45b3499a170b newnet1 0.4.0 bridge,portmap,firewall,tuning
31213d4efd11 newnet2 0.4.0 bridge,portmap,firewall,tuning
4d24ca3baa36 podman2 0.4.0 bridge,portmap,firewall,tuning
[root@localhost ~]
newnet1
newnet2
[root@localhost ~]
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
884e74728f04 newnet 0.4.0 bridge,portmap,firewall,tuning
4d24ca3baa36 podman2 0.4.0 bridge,portmap,firewall,tuning
podman常用命令
要更多的命令请点击这里
podman search 查找镜像
[root@podman ~]
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/httpd The Apache HTTP Server Project 3794 [OK]
podman pull 拉取镜像
[root@localhost ~]
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@localhost ~]
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob e5ae68f74026 skipped: already exists
Copying blob 21e0df283cd6 done
Copying blob 77700c52c969 done
Copying blob ed835de16acd done
Copying blob 44be98c0fab6 done
Copying blob 881ff011f1c9 done
Copying config f652ca386e done
Writing manifest to image destination
Storing signatures
f652ca386ed135a4cbe356333e08ef0816f81b2ac8d0619af01e2b256837ed3e
podman images 显示所有镜像
[root@localhost ~]
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest f652ca386ed1 13 days ago 146 MB
podman run 运行容器
[root@localhost ~]
6e1d7872c5ec26863d513624d20c1adb64f85eb970fe1c5da1ebeda941eae487
podman ps 列出正在运行的容器
[root@localhost ~]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e1d7872c5ec docker.io/library/nginx:latest nginx -g daemon o... 51 seconds ago Up 51 seconds ago web01
// 如果添加 -a 命令,Podman 将显示所有容器(已创建、已退出、正在运行等)
[root@localhost ~]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e1d7872c5ec docker.io/library/nginx:latest nginx -g daemon o... 54 seconds ago Up 53 seconds ago web01
9cffea5123c7 docker.io/library/nginx:latest nginx -g daemon o... 23 seconds ago Exited (0) 10 seconds ago web02
podman inspect 查看容器详细信息
[root@localhost ~]
[
{
"Id": "6e1d7872c5ec26863d513624d20c1adb64f85eb970fe1c5da1ebeda941eae487",
"Created": "2021-12-15T18:48:21.76933645+08:00",
"Path": "/docker-entrypoint.sh",
"Args": [
"nginx",
"-g",
"daemon off;"
],
"State": {
"OciVersion": "1.0.2-dev",
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 12767,
"ConmonPid": 12756,
"ExitCode": 0,
"Error": "",
"StartedAt": "2021-12-15T18:48:22.484198349+08:00",
"FinishedAt": "0001-01-01T00:00:00Z",
"Healthcheck": {
"Status": "",
"FailingStreak": 0,
"Log": null
}
},
// -l 查看最新信息
[root@localhost ~]
"IPAddress": "10.88.0.2",
"IPAddress": "10.88.0.2",
podman logs 查看容器日志
// -l 查看最新容器日志
[root@localhost ~]
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/12/15 10:48:53 [notice] 1
2021/12/15 10:48:53 [notice] 1
2021/12/15 10:48:53 [notice] 1
2021/12/15 10:48:53 [notice] 1
2021/12/15 10:48:53 [notice] 1
2021/12/15 10:48:53 [notice] 1
2021/12/15 10:48:53 [notice] 1
2021/12/15 10:48:53 [notice] 1
2021/12/15 10:49:05 [notice] 1
2021/12/15 10:49:05 [notice] 31
2021/12/15 10:49:05 [notice] 30
2021/12/15 10:49:05 [notice] 31
2021/12/15 10:49:05 [notice] 30
2021/12/15 10:49:05 [notice] 31
2021/12/15 10:49:05 [notice] 30
2021/12/15 10:49:05 [notice] 1
2021/12/15 10:49:05 [notice] 1
2021/12/15 10:49:05 [notice] 1
2021/12/15 10:49:05 [notice] 1
podman top 查看容器的 pids
[root@localhost ~]
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 5m1.739557202s pts/0 0s nginx: master process nginx -g daemon off;
nginx 30 1 0.000 5m1.739814247s pts/0 0s nginx: worker process
nginx 31 1 0.000 5m1.739913641s pts/0 0s nginx: worker process
// -l 查看最新容器
[root@localhost ~]
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 11.295056103s pts/0 0s nginx: master process nginx -g daemon off;
nginx 23 1 0.000 10.29518149s pts/0 0s nginx: worker process
nginx 24 1 0.000 10.295250142s pts/0 0s nginx: worker process
podman stop 停止容器
[root@localhost ~]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e1d7872c5ec docker.io/library/nginx:latest nginx -g daemon o... 7 minutes ago Up 7 minutes ago web01
9cffea5123c7 docker.io/library/nginx:latest nginx -g daemon o... 7 minutes ago Up 4 seconds ago web02
[root@localhost ~]
web02
[root@localhost ~]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e1d7872c5ec docker.io/library/nginx:latest nginx -g daemon o... 8 minutes ago Up 8 minutes ago web01
podman start 启动容器
[root@localhost ~]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e1d7872c5ec docker.io/library/nginx:latest nginx -g daemon o... 9 minutes ago Up 9 minutes ago web01
[root@localhost ~]
web02
[root@localhost ~]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e1d7872c5ec docker.io/library/nginx:latest nginx -g daemon o... 9 minutes ago Up 9 minutes ago web01
9cffea5123c7 docker.io/library/nginx:latest nginx -g daemon o... 8 minutes ago Up 3 seconds ago web02
podman rm 删除容器
//-f 强制删除
[root@localhost ~]
9cffea5123c7c977747cf770c1abe11fe302cd1fd5f8d250da5196e5ba3e7656
[root@localhost ~]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e1d7872c5ec docker.io/library/nginx:latest nginx -g daemon o... 10 minutes ago Up 10 minutes ago web01
podman rmi 删除镜像
[root@localhost ~]
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest 8362f2615893 11 hours ago 148 MB
docker.io/library/busybox latest ffe9d497c324 7 days ago 1.46 MB
docker.io/library/nginx latest f652ca386ed1 13 days ago 146 MB
//-f 强制删除
[root@localhost ~]
Untagged: docker.io/library/busybox:latest
Deleted: ffe9d497c32414b1c5cdad8178a85602ee72453082da2463f1dede592ac7d5af
[root@localhost ~]
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest 8362f2615893 11 hours ago 148 MB
docker.io/library/nginx latest f652ca386ed1 13 days ago 146 MB
pdoman容器的开机自启
使用podman generate --help查看用法
[root@podman ~]
Generate structured data based on containers, pods or volumes
Description:
Generate structured data (e.g., Kubernetes YAML or systemd units) based on containers, pods or volumes.
Usage:
podman generate [command]
Available Commands:
kube Generate Kubernetes YAML from containers, pods or volumes.
systemd Generate systemd units.
使用podman generate systemd --help查看用法:
[root@podman ~]
Generate systemd units.
Description:
Generate systemd units for a pod or container.
The generated units can later be controlled via systemctl(1).
Usage:
podman generate systemd [options] {CONTAINER|POD}
Examples:
podman generate systemd CTR
podman generate systemd --new --time 10 CTR
podman generate systemd --files --name POD
Options:
--container-prefix string Systemd unit name prefix for containers (default "container")
-f, --files Generate .service files instead of printing to stdout
--format string Print the created units in specified format (json)
-n, --name Use container/pod names instead of IDs
--new Create a new container or pod instead of starting an existing one
--no-header Skip header generation
--pod-prefix string Systemd unit name prefix for pods (default "pod")
--restart-policy string Systemd restart-policy (default "on-failure")
--separator string Systemd unit name separator between name/id and prefix (default "-")
-t, --time uint Stop timeout override (default 10)
root Podman容器服务自启动
[root@localhost ~]
969d855df0326b8ea1efacd90e5ab2860763d950668e038fe2b410e897e25bf9
[root@localhost ~]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
969d855df032 docker.io/library/nginx:latest nginx -g daemon o... 6 seconds ago Up 5 seconds ago web
[root@localhost ~]
/root/container-web.service
[root@localhost ~]
[root@localhost ~]
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.ser>
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
[root@localhost ~]
Created symlink /etc/systemd/system/multi-user.target.wants/container-web.service → /usr/lib/systemd/system/container-web.service.
Created symlink /etc/systemd/system/default.target.wants/container-web.service → /usr/lib/systemd/system/container-web.service.
[root@localhost ~]
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.ser>
Active: active (running) since Wed 2021-12-15 19:03:27 CS>
Docs: man:podman-generate-systemd(1)
Process: 14702 ExecStart=/usr/bin/podman start web (code=e>
Main PID: 14575 (conmon)
Tasks: 0 (limit: 11338)
Memory: 1.0M
CGroup: /system.slice/container-web.service
? 14575 /usr/bin/conmon --api-version 1 -c 969d85>
12月 15 19:03:27 localhost.localdomain systemd[1]: Starting >
12月 15 19:03:27 localhost.localdomain systemd[1]: Started P>
lines 1-13/13 (END)
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2021-12-15 19:03:27 CST; 6s ago
Docs: man:podman-generate-systemd(1)
Process: 14702 ExecStart=/usr/bin/podman start web (code=exited, status=0/SUCCESS)
Main PID: 14575 (conmon)
Tasks: 0 (limit: 11338)
Memory: 1.0M
CGroup: /system.slice/container-web.service
? 14575 /usr/bin/conmon --api-version 1 -c 969d855df0326b8ea1efacd90e5ab2860763d950668e038fe2b410e897e25bf9 -u 96>
12月 15 19:03:27 localhost.localdomain systemd[1]: Starting Podman container-web.service...
12月 15 19:03:27 localhost.localdomain systemd[1]: Started Podman container-web.service.
普通用户设置容器开机自启
在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置
cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroup V2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroup V2,必须切换到备用OCI运行时crun
[root@localhost ~]
[root@localhost ~]
runtime = "crun" 取消
配置storage.conf文件
[root@localhost ~]
mount_program = "/usr/bin/fuse-overlayfs"
// 创建用户
[root@localhost ~]
[root@localhost ~]
更改用户 syb 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@localhost ~]
The authenticity of host '192.168.200.141 (192.168.200.141)' can't be established.
ECDSA key fingerprint is SHA256:3aBCquRdG1LVT8X2pT/0DPh77RRE1pj0F8z33PZa1xg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.200.141' (ECDSA) to the list of known hosts.
syb@192.168.200.141's password:
[syb@localhost ~]$ mkdir -p ~/.config/systemd/user
[syb@localhost ~]$ cd ~/.config/systemd/user
[syb@localhost user]$ podman run -d --name test nginx
[syb@localhost user]$ podman generate systemd --name test --files --new
[syb@localhost user]$ podman stop test
test
[syb@localhost user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[syb@localhost user]$ systemctl --user daemon-reload
[syb@localhost user]$ systemctl --user enable --now container-test.service
Created symlink /home/nea/.config/systemd/user/multi-user.target.wants/container-test.service → /home/nea/.config/systemd/user/container-test.service.
Created symlink /home/nea/.config/systemd/user/default.target.wants/container-test.service → /home/nea/.config/systemd/user/container-test.service.
[syb@localhost user]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2c79cfc6f4f7 docker.io/library/nginx:latest nginx -g daemon o... 6 seconds ago Up 6 seconds ago test
[syb@localhost user]$ systemctl --user status container-test.service
● container-test.service - Podman container-test.service
Loaded: loaded (/home/syb/.config/systemd/user/container-test.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-12-15 01:44:49 EST; 9min ago
Docs: man:podman-generate-systemd(1)
Process: 19217 ExecStartPre=/bin/rm -f /run/user/1001/container-test.service.ctr-id (code=exited, status=0/SUCCESS)
Main PID: 19257 (conmon)
CGroup: /user.slice/user-1001.slice/user@1001.service/container-test.service
├─19251 /usr/bin/fuse-overlayfs -o ,lowerdir=/home/nea/.local/share/containers/storage/overlay/l/5S2WLHYYVZAJ3G7TOACCLLOJ52:/home/nea/.local/share/>
├─19253 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1001/ne>
├─19257 /usr/bin/conmon --api-version 1 -c 2c79cfc6f4f71f1c4bbb69240883347d9da098ae26147c463d904fe61f75cf8b -u 2c79cfc6f4f71f1c4bbb69240883347d9da0>
├─19260 nginx: master process nginx -g daemon off;
├─19286 nginx: worker process
└─19287 nginx: worker process
lines 1-13/13 (END)
|