Java教程
在无根的环境中基本设置和使用podman
本文主要是介绍在无根的环境中基本设置和使用podman,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
在无根的环境中基本设置和使用podman
基本设置
cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroupV2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroupV2,必须切换到备用OCI运行时crun。
[[email protected] ~]# dnf -y install crun
[[email protected] ~]# vim /usr/share/containers/containers.conf
runtime = "crun"
#runtime = "runc"
[[email protected] ~]# podman run -d --name web -p 80:80 httpd
7771b661a871d5e2e44080fc649400f2d45e650255bce3d2fea65dbf9ee4790c
[[email protected] ~]#
[[email protected] ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7771b661a871 docker.io/library/httpd:latest httpd-foreground 31 seconds ago Up 30 seconds ago 0.0.0.0:80->80/tcp web
[[email protected] ~]# podman inspect web | grep crun
"OCIRuntime": "crun",
"crun",
[[email protected] ~]#
安装slirp4netns和fuse-overlayfs
在普通用户环境中使用Podman时,建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6。下载slirp4netns和fuse-overlayfs
[[email protected] ~]# dnf -y install fuse-overlayfs [[email protected] ~]# dnf -y install slirp4netns [[email protected] ~]# vim /etc/containers/storage.conf mount_program = "/usr/bin/fuse-overlayfs" #搜索fuse,取消这行注释 [[email protected] ~]# which fuse-overlayfs /usr/bin/fuse-overlayfs /etc/subuid和/etc/subgid配置 Podman要求运行它的用户在/ etc / subuid和/ etc / subgid文件中列出一系列UID,shadow-utils或newuid包提供这些文件 [[email protected] ~]# dnf -y install shadow-utils
在/etc/subuid和/etc/subgid查看,每个用户的值必须唯一且没有任何重叠。
[[email protected] ~]# useradd nie [[email protected] ~]# cat /etc/subuid nie:100000:65536 [[email protected] ~]# cat /etc/subgid nie:100000:65536 [[email protected] ~]# 启动非特权ping [[email protected] ~]# vim /etc/sysctl.conf net.ipv4.ping_group_range=0 200000 #添加此行,大于100000这个就表示tom可以操作podman
这个文件的格式是 USERNAME:UID:RANGE中/etc/passwd或输出中列出的用户名getpwent。
- 为用户分配的初始 UID。
- 为用户分配的 UID 范围的大小。
该usermod程序可用于为用户分配 UID 和 GID,而不是直接更新文件。
[[email protected] ~]# useradd bang [[email protected] ~]# cat /etc/subuid /etc/subgid nie:100000:65536 bang:165536:65536 nie:100000:65536 bang:165536:65536 [[email protected] ~]# [[email protected] ~]# cat /etc/subuid /etc/subgidnie:100000:65536 bang:165536:65536 bang:20000:101 nie:100000:65536 bang:165536:65536 bang:20000:101 [[email protected] ~]# [[email protected] ~]# usermod --del-subuids 165536-231072 --del-subgids 165536-231072 bang [[email protected] ~]# cat /etc/subuid /etc/subgid nie:100000:65536 bang:20000:101 nie:100000:65536 bang:20000:101 [[email protected] ~]# [[email protected] ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 bang [[email protected] ~]# cat /etc/subuid /etc/subgid nie:100000:65536 bang:20000:101 bang:200000:1001 nie:100000:65536 bang:20000:101 bang:200000:1001 [[email protected] ~]#
用户配置文件
三个主要的配置文件是container.conf、storage.conf和registries.conf。用户可以根据需要修改这些文件。
container.conf(容器配置文件)
// 用户配置文件 [[email protected] ~]# cat /usr/share/containers/containers.conf [[email protected] ~]# cat /etc/containers/containers.conf [[email protected] ~]# cat ~/.config/containers/containers.conf //优先级最高
storage.conf(存储配文件)
1./etc/containers/storage.conf 2.$HOME/.config/containers/storage.conf
在普通用户中/etc/containers/storage.conf的一些字段将被忽略
[[email protected] ~]# vim /etc/containers/storage.conf driver = "overlay" #此处改为overlay ...... mount_program = "/usr/bin/fuse-overlayfs" #取消注释 [[email protected] ~]# vim /etc/sysctl.conf user.max_user_namespaces=15000 #添加此行
在普通用户中这些字段默认
[[email protected] ~]# vim /etc/containers/storage.conf graphroot="$HOME/.local/share/containers/storage" runroot="$XDG_RUNTIME_DIR/containers"
registries.conf(仓库配置文件)
配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改。
1./etc/containers/registries.conf 2./etc/containers/registries.d/* 3.HOME/.config/containers/registries.conf
授权文件
此文件里面写了docker账号的密码,以加密方式显示
root用户和普通用户的docker账号和密码授权是相同的
[[email protected] ~]# podman login
Username: daojiang
Password:
Login Succeeded!
[[email protected] ~]#
[[email protected] ~]# find / -name auth.json
/run/user/0/containers/auth.json
[[email protected] ~]#
[[email protected] ~]# cat /run/user/0/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "ZGFvamlhbmc6MTIzNDU2Nzg5"
}
}
}[[email protected] ~]#
[[email protected] ~]$ find / -name auth.json
/tmp/podman-run-1000/containers/auth.json
[[email protected] ~]$
[[email protected] ~]$ cat //tmp/podman-run-1000/containers/auth.json
{
"auths": {
"docker.io": {
"auth": "ZGFvamlhbmc6MTIzNDU2Nzg5"
}
}
}[[email protected] ~]$
普通用户无法看见root用户的镜像和容器
[[email protected] ~]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/busybox latest beae173ccac6 7 months ago 1.46 MB docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB registry.fedoraproject.org/f29/httpd latest 25c76f9dcdb5 3 years ago 482 MB [[email protected] ~]# podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7771b661a871 docker.io/library/httpd:latest httpd-foreground 39 minutes ago Up 39 minutes ago 0.0.0.0:80->80/tcp web [[email protected] ~]# //普通用户 [[email protected] ~]# su - nie Last login: Tue Aug 16 23:38:17 CST 2022 on pts/0 [[email protected] ~]$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE [[email protected] ~]$ podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES [[email protected] ~]$ //root用户也是无法看见普通用户的镜像和容器的 [[email protected] ~]$ podman run -dit --name b2 -p 8080:80 httpd fd4da7d86334d2a0d2c416764cedc45a78c92071a3f07ea79e37701adff6b9e9 [[email protected] ~]$ podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES fd4da7d86334 docker.io/library/httpd:latest httpd-foreground 45 seconds ago Up 45 seconds ago 0.0.0.0:8080->80/tcp b2 [[email protected] ~]$ //root用户 [[email protected] ~]# podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
- 容器与root用户一起运行,则root容器中的用户实际上就是主机上的用户。
[[email protected] ~]$ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES fd4da7d86334 docker.io/library/httpd:latest httpd-foreground 3 minutes ago Up 3 minutes ago 0.0.0.0:8080->80/tcp b2 [[email protected] ~]$ podman exec -it b2 /bin/bash [email protected]:/usr/local/apache2# id uid=0(root) gid=0(root) groups=0(root)
- UID GID是在/etc/subuid和/etc/subgid等中用户映射中指定的第一个UID GID。
- 如果普通用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则会看到它实际上是你的用户在主机上拥有的。
使用卷
[[email protected] ~]$ pwd /home/nie [[email protected] ~]$ mkdir /home/nie/abc #‘/abc:Z’默认是z指示绑定安装内容在多个容器直接共享,Z选项指示绑定安装内容是使用的且未共享 [[email protected] ~]$ podman run -dit --name web1 -v /home/nie/abc/:/abc:Z -p 8080:80 httpd c7ad45b2f663871eb3458812c7eef7889815e0b4178953a62d158a82ceed456f [[email protected] ~]$ [[email protected] ~]$ podman exec -it web1 /bin/bash [email protected]:/usr/local/apache2# cd /abc [email protected]:/abc# touch 456 [email protected]:/abc# ls -l total 0 -rw-r--r--. 1 root root 0 Aug 16 16:19 456 [email protected]:/abc# //在主机上查看 [[email protected] ~]$ ll abc/ total 0 -rw-r--r--. 1 nie nie 0 Aug 17 00:19 456 //在主机上写入文件 [[email protected] ~]$ [[email protected] ~]$ echo "hello world" >> abc/456 [[email protected] ~]$ cat abc/456 hello world [[email protected] ~]$
容器里查看
[[email protected] ~]$ podman exec -it web1 /bin/bash [email protected]:/abc# cat 456 hello world [email protected]:/abc# [email protected]:/abc# ls -l total 4 -rw-r--r--. 1 root root 12 Aug 16 16:21 456 [email protected]:/abc#
我们可以发现在容器里面的目录和文件的属主和属组都属于root,让其属于nie用户
//在运行容器的时候加上一个--userns=keep-id即可。保持一直id [[email protected] ~]$ podman rm -f -l c7ad45b2f663871eb3458812c7eef7889815e0b4178953a62d158a82ceed456f [[email protected] ~]$ podman run -dit --name web1 --userns=keep-id -v $(pwd)/abc:/abc:Z busybox Storing signatures e7e46d4534e951a22fb77a71fa1167f0a09b1124121f258c604dbb7a7854504b [[email protected] ~]$ [[email protected] ~]$ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e7e46d4534e9 docker.io/library/busybox:latest sh About a minute ago Up About a minute ago web1 [[email protected] ~]$
使用普通用户映射容器端口时会报“ permission denied”的错误
[[email protected] ~]$ podman run -dit --name no1 -p 80:80 httpd Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied [[email protected] ~]$
普通用户可以映射>= 1024的端口
#删除之前报错的容器后再创建 [[email protected] ~]$ podman rm -f no1 d5ae497c96f97ef59d90322eee1b118a892999953430ffa18754664c859f3aa3 [[email protected] ~]$ podman run -dit --name no1 -p 1024:80 httpd 56a77fa8c003e7209033a0c97bc541af2cb6107b2a6ab8c2e7ec6aeb26b42e73 [[email protected] ~]$ [[email protected] ~]$ ss -anlt State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 *:1024 *:* LISTEN 0 128 [::]:22 [::]:* [[email protected] ~]$
配置echo ‘net.ipv4.ip_unprivileged_port_start=80’ >> /etc/sysctl.conf后可以映射大于等于80的端口
[[email protected] ~]# vim /etc/sysctl.conf net.ipv4.ip_unprivileged_port_start=80 #添加此行 [[email protected] ~]# sysctl -p net.ipv4.ping_group_range = 0 200000 user.max_user_namespaces = 15000 net.ipv4.ip_unprivileged_port_start = 80 [[email protected] ~]#
这篇关于在无根的环境中基本设置和使用podman的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
您可能喜欢
-
后台管理开发学习:新手入门指南11-01
-
后台管理系统开发学习:新手入门教程11-01
-
后台开发学习:从入门到实践的简单教程11-01
-
后台综合解决方案学习:从入门到初级实战教程11-01
-
接口模块封装学习入门教程11-01
-
请求动作封装学习:新手入门教程11-01
-
登录鉴权入门:新手必读指南11-01
-
动态面包屑入门:轻松掌握导航设计技巧11-01
-
动态权限入门:新手必读指南11-01
-
动态主题处理入门:新手必读指南11-01
-
富文本编辑器入门:新手必读指南11-01
-
功能权限入门:新手必读指南11-01
-
国际化处理入门:新手必读指南11-01
-
后台管理开发入门:从零开始的全面指南11-01
-
后台管理系统开发入门:新手必读教程11-01
栏目导航
