在无根的环境中基本设置和使用podman

基本设置

cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源，如果使用cgroupV2启用了运行Podman的Linux发行版，则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroupV2，必须切换到备用OCI运行时crun。

[[email protected] ~]# dnf -y install crun

[[email protected] ~]# vim /usr/share/containers/containers.conf
runtime = "crun"
#runtime = "runc"

[[email protected] ~]# podman run -d --name web -p 80:80 httpd
7771b661a871d5e2e44080fc649400f2d45e650255bce3d2fea65dbf9ee4790c
[[email protected] ~]# 
[[email protected] ~]# podman ps
CONTAINER ID  IMAGE                           COMMAND           CREATED         STATUS             PORTS               NAMES
7771b661a871  docker.io/library/httpd:latest  httpd-foreground  31 seconds ago  Up 30 seconds ago  0.0.0.0:80->80/tcp  web
[[email protected] ~]# podman inspect web | grep crun
        "OCIRuntime": "crun",
            "crun",
[[email protected] ~]# 

安装slirp4netns和fuse-overlayfs

在普通用户环境中使用Podman时，建议使用fuse-overlayfs而不是VFS文件系统，至少需要版本0.7.6。下载slirp4netns和fuse-overlayfs

[[email protected] ~]# dnf -y install fuse-overlayfs
[[email protected] ~]# dnf -y install slirp4netns
[[email protected] ~]# vim /etc/containers/storage.conf
mount_program = "/usr/bin/fuse-overlayfs"   #搜索fuse，取消这行注释
[[email protected] ~]# which fuse-overlayfs
/usr/bin/fuse-overlayfs

/etc/subuid和/etc/subgid配置
Podman要求运行它的用户在/ etc / subuid和/ etc / subgid文件中列出一系列UID,shadow-utils或newuid包提供这些文件
[[email protected] ~]# dnf -y install shadow-utils

在/etc/subuid和/etc/subgid查看，每个用户的值必须唯一且没有任何重叠。

[[email protected] ~]# useradd nie
[[email protected] ~]# cat /etc/subuid
nie:100000:65536
[[email protected] ~]# cat /etc/subgid
nie:100000:65536
[[email protected] ~]# 
启动非特权ping
[[email protected] ~]# vim /etc/sysctl.conf
net.ipv4.ping_group_range=0 200000 #添加此行，大于100000这个就表示tom可以操作podman

这个文件的格式是 USERNAME:UID:RANGE中/etc/passwd或输出中列出的用户名getpwent。

• 为用户分配的初始 UID。
• 为用户分配的 UID 范围的大小。

该usermod程序可用于为用户分配 UID 和 GID，而不是直接更新文件。

[[email protected] ~]# useradd bang
[[email protected] ~]# cat /etc/subuid /etc/subgid
nie:100000:65536
bang:165536:65536
nie:100000:65536
bang:165536:65536
[[email protected] ~]# 
[[email protected] ~]# cat /etc/subuid /etc/subgidnie:100000:65536
bang:165536:65536
bang:20000:101
nie:100000:65536
bang:165536:65536
bang:20000:101
[[email protected] ~]# 
[[email protected] ~]# usermod --del-subuids 165536-231072 --del-subgids 165536-231072 bang
[[email protected] ~]# cat /etc/subuid /etc/subgid
nie:100000:65536
bang:20000:101
nie:100000:65536
bang:20000:101
[[email protected] ~]# 
[[email protected] ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 bang
[[email protected] ~]# cat /etc/subuid /etc/subgid
nie:100000:65536
bang:20000:101
bang:200000:1001
nie:100000:65536
bang:20000:101
bang:200000:1001
[[email protected] ~]# 

用户配置文件

三个主要的配置文件是container.conf、storage.conf和registries.conf。用户可以根据需要修改这些文件。

container.conf(容器配置文件)

// 用户配置文件
[[email protected] ~]# cat /usr/share/containers/containers.conf
[[email protected] ~]# cat /etc/containers/containers.conf
[[email protected] ~]# cat ~/.config/containers/containers.conf  //优先级最高

storage.conf(存储配文件)

1./etc/containers/storage.conf
2.$HOME/.config/containers/storage.conf

在普通用户中/etc/containers/storage.conf的一些字段将被忽略

[[email protected] ~]# vim /etc/containers/storage.conf
driver = "overlay"    #此处改为overlay
......
mount_program = "/usr/bin/fuse-overlayfs"    #取消注释

[[email protected] ~]# vim /etc/sysctl.conf
user.max_user_namespaces=15000  #添加此行

在普通用户中这些字段默认

[[email protected] ~]# vim /etc/containers/storage.conf
graphroot="$HOME/.local/share/containers/storage"
runroot="$XDG_RUNTIME_DIR/containers"

registries.conf(仓库配置文件)

配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改。

1./etc/containers/registries.conf
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf

授权文件

此文件里面写了docker账号的密码，以加密方式显示

root用户和普通用户的docker账号和密码授权是相同的

[[email protected] ~]# podman login
Username: daojiang
Password: 
Login Succeeded!
[[email protected] ~]# 
[[email protected] ~]# find / -name auth.json
/run/user/0/containers/auth.json
[[email protected] ~]# 
[[email protected] ~]# cat /run/user/0/containers/auth.json 
{
        "auths": {
                "docker.io": {
                        "auth": "ZGFvamlhbmc6MTIzNDU2Nzg5"
                }
        }
}[[email protected] ~]# 
[[email protected] ~]$ find / -name auth.json
/tmp/podman-run-1000/containers/auth.json
[[email protected] ~]$ 
[[email protected] ~]$ cat //tmp/podman-run-1000/containers/auth.json
{
        "auths": {
                "docker.io": {
                        "auth": "ZGFvamlhbmc6MTIzNDU2Nzg5"
                }
        }
}[[email protected] ~]$ 

普通用户无法看见root用户的镜像和容器

[[email protected] ~]# podman images
REPOSITORY                            TAG         IMAGE ID      CREATED       SIZE
docker.io/library/busybox             latest      beae173ccac6  7 months ago  1.46 MB
docker.io/library/httpd               latest      dabbfbe0c57b  7 months ago  148 MB
docker.io/library/alpine              latest      c059bfaa849c  8 months ago  5.87 MB
registry.fedoraproject.org/f29/httpd  latest      25c76f9dcdb5  3 years ago   482 MB

[[email protected] ~]# podman ps -a
CONTAINER ID  IMAGE                           COMMAND           CREATED         STATUS             PORTS               NAMES
7771b661a871  docker.io/library/httpd:latest  httpd-foreground  39 minutes ago  Up 39 minutes ago  0.0.0.0:80->80/tcp  web
[[email protected] ~]# 
//普通用户
[[email protected] ~]# su - nie
Last login: Tue Aug 16 23:38:17 CST 2022 on pts/0
[[email protected] ~]$ podman images
REPOSITORY  TAG         IMAGE ID    CREATED     SIZE
[[email protected] ~]$ podman ps -a
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES
[[email protected] ~]$ 
//root用户也是无法看见普通用户的镜像和容器的
[[email protected] ~]$ podman run -dit --name b2 -p 8080:80 httpd
fd4da7d86334d2a0d2c416764cedc45a78c92071a3f07ea79e37701adff6b9e9
[[email protected] ~]$ podman ps -a
CONTAINER ID  IMAGE                           COMMAND           CREATED         STATUS             PORTS                 NAMES
fd4da7d86334  docker.io/library/httpd:latest  httpd-foreground  45 seconds ago  Up 45 seconds ago  0.0.0.0:8080->80/tcp  b2
[[email protected] ~]$ 
//root用户
[[email protected] ~]# podman ps -a
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

• 容器与root用户一起运行，则root容器中的用户实际上就是主机上的用户。

[[email protected] ~]$ podman ps
CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS            PORTS                 NAMES
fd4da7d86334  docker.io/library/httpd:latest  httpd-foreground  3 minutes ago  Up 3 minutes ago  0.0.0.0:8080->80/tcp  b2
[[email protected] ~]$ podman exec -it b2 /bin/bash
[email protected]:/usr/local/apache2# id
uid=0(root) gid=0(root) groups=0(root)

• UID GID是在/etc/subuid和/etc/subgid等中用户映射中指定的第一个UID GID。
• 如果普通用户的身份从主机目录挂载到容器中，并在该目录中以根用户身份创建文件，则会看到它实际上是你的用户在主机上拥有的。

使用卷

[[email protected] ~]$ pwd
/home/nie
[[email protected] ~]$ mkdir /home/nie/abc
#‘/abc:Z’默认是z指示绑定安装内容在多个容器直接共享，Z选项指示绑定安装内容是使用的且未共享
[[email protected] ~]$ podman run -dit --name web1 -v /home/nie/abc/:/abc:Z -p 8080:80 httpd
c7ad45b2f663871eb3458812c7eef7889815e0b4178953a62d158a82ceed456f
[[email protected] ~]$ 
[[email protected] ~]$ podman exec -it web1 /bin/bash
[email protected]:/usr/local/apache2# cd /abc
[email protected]:/abc# touch 456
[email protected]:/abc# ls -l
total 0
-rw-r--r--. 1 root root 0 Aug 16 16:19 456
[email protected]:/abc# 
//在主机上查看
[[email protected] ~]$ ll abc/
total 0
-rw-r--r--. 1 nie nie 0 Aug 17 00:19 456
//在主机上写入文件
[[email protected] ~]$ 
[[email protected] ~]$ echo "hello world" >> abc/456
[[email protected] ~]$ cat abc/456
hello world
[[email protected] ~]$ 

容器里查看

[[email protected] ~]$ podman exec -it web1 /bin/bash
[email protected]:/abc# cat 456
hello world
[email protected]:/abc# 
[email protected]:/abc# ls -l
total 4
-rw-r--r--. 1 root root 12 Aug 16 16:21 456
[email protected]:/abc# 

我们可以发现在容器里面的目录和文件的属主和属组都属于root，让其属于nie用户

//在运行容器的时候加上一个--userns=keep-id即可。保持一直id
[[email protected] ~]$ podman rm -f -l
c7ad45b2f663871eb3458812c7eef7889815e0b4178953a62d158a82ceed456f
[[email protected] ~]$  podman run -dit --name web1 --userns=keep-id -v $(pwd)/abc:/abc:Z busybox
Storing signatures
e7e46d4534e951a22fb77a71fa1167f0a09b1124121f258c604dbb7a7854504b
[[email protected] ~]$ 
[[email protected] ~]$ podman ps
CONTAINER ID  IMAGE                             COMMAND     CREATED             STATUS                 PORTS       NAMES
e7e46d4534e9  docker.io/library/busybox:latest  sh          About a minute ago  Up About a minute ago              web1
[[email protected] ~]$ 

使用普通用户映射容器端口时会报“ permission denied”的错误

[[email protected] ~]$ podman run -dit --name no1 -p 80:80 httpd
Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied
[[email protected] ~]$ 

普通用户可以映射>= 1024的端口

#删除之前报错的容器后再创建
[[email protected] ~]$ podman rm -f no1
d5ae497c96f97ef59d90322eee1b118a892999953430ffa18754664c859f3aa3

[[email protected] ~]$ podman run -dit --name no1 -p 1024:80 httpd
56a77fa8c003e7209033a0c97bc541af2cb6107b2a6ab8c2e7ec6aeb26b42e73
[[email protected] ~]$ 
[[email protected] ~]$ ss -anlt
State    Recv-Q   Send-Q     Local Address:Port      Peer Address:Port   Process   
LISTEN   0        128              0.0.0.0:22             0.0.0.0:*                
LISTEN   0        128                    *:1024                 *:*                
LISTEN   0        128                 [::]:22                [::]:*                
[[email protected] ~]$ 

配置echo ‘net.ipv4.ip_unprivileged_port_start=80’ >> /etc/sysctl.conf后可以映射大于等于80的端口

[[email protected] ~]# vim /etc/sysctl.conf 
net.ipv4.ip_unprivileged_port_start=80      #添加此行
[[email protected] ~]# sysctl -p
net.ipv4.ping_group_range = 0 200000
user.max_user_namespaces = 15000
net.ipv4.ip_unprivileged_port_start = 80
[[email protected] ~]#