podman的基本设置和使用,签名分发镜像推送到harbor仓库
podman的基本设置和使用
Podman 是作为 libpod 库的一部分提供的实用程序。它可用于创建和维护容器。以下教程将教您如何设置Podman并使用Podman执行一些基本命令。
podman的基本设置和使用
运行示例容器
此示例容器将运行一个非常基本的 httpd 服务器,该服务器仅为其索引页提供服务。
[root@podman ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
> -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
> -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
> registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob d77ff9f653ce done
Copying blob aaf5ad2e1aa3 done
Copying blob 7692efc5f81c done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
由于容器在分离模式下运行(在命令中由 -d 表示),因此 Podman 将在运行后打印容器 ID。请注意,我们使用端口转发来访问 HTTP 服务器。要成功运行,至少需要 slirp4netns v0.3.0。
查询一下slirp4netns是否高于 v0.3.0版本。
[root@podman ~]# rpm -qa|grep slirp4netns
slirp4netns-1.1.8-2.module_el8.7.0+1106+45480ee0.x86_64
列出正在运行的容器
[root@podman ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
81254d9cc425 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 5 minutes ago Up 5 minutes ago 0.0.0.0:8080->8080/tcp dreamy_merkle
注意:-l 是最新容器的便利参数。还可以使用容器的 ID 而不是 -l。
检查正在运行的容器
可以检查正在运行的容器,以获取有关其自身的元数据和详细信息。我们甚至可以使用 inspect 子命令来查看分配给容器的 IP 地址。由于容器在无根模式下运行,因此不会分配 IP 地址,并且该值将在检查的输出中列为“无”。
podman inspect -l |grep -i ipaddress
[root@podman ~]# podman inspect -l |grep -i ipaddress
"IPAddress": "10.88.0.3",
"IPAddress": "10.88.0.3",
测试httpd服务器
[root@podman ~]# podman port -l
8080/tcp -> 0.0.0.0:8080
[root@podman ~]# curl 10.88.0.3:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
...省略
web界面访问:
查看容器日志
podman logs --latest
[root@podman ~]# podman logs -l
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.3. Set the 'ServerName' directive globally to suppress this message
[Mon Aug 15 15:56:04.177877 2022] [ssl:warn] [pid 1:tid 139975668551040] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1b FIPS 26 Feb 2019, version currently loaded is OpenSSL 1.1.1 FIPS 11 Sep 2018) - may result in undefined or erroneous behavior
...省略
查看容器的pid
podman top <container_id>
[root@podman ~]# podman top -l
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
default 1 0 0.000 17m15.264131783s pts/0 0s httpd -D FOREGROUND
default 23 1 0.000 17m15.264256639s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 24 1 0.000 17m15.264293599s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 25 1 0.000 17m15.264317041s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 26 1 0.000 17m15.264343615s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 27 1 0.000 17m15.264365551s pts/0 0s httpd -D FOREGROUND
default 28 1 0.000 17m15.264387439s pts/0 0s httpd -D FOREGROUND
default 30 1 0.000 17m15.264408209s pts/0 0s httpd -D FOREGROUND
default 37 1 0.000 17m15.264431233s pts/0 0s httpd -D FOREGROUND
default 242 1 0.000 7m50.264451911s pts/0 0s httpd -D FOREGROUND
对容器执行检查点操作
对容器执行检查点操作会停止容器,同时将容器中所有进程的状态写入磁盘。这样,容器以后可以还原,并在与检查点完全相同的时间点继续运行。此功能要求在系统上安装 CRIU 3.11 或更高版本。不支持此功能作为无根;因此,如果您想尝试一下,则需要使用相同的命令(但使用sudo)以root身份重新创建容器。若本身是管理员就不用sudu。
sudo podman container checkpoint <container_id>
[root@podman ~]# podman container checkpoint -l
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# ls
anaconda-ks.cfg container-web.service
[root@podman ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
81254d9cc425 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 53 minutes ago Exited (0) 17 seconds ago 0.0.0.0:8080->8080/tcp dreamy_merkle
恢复容器
还原容器仅适用于以前检查点的容器。还原的容器将继续在检查点操作的同一时间点运行。
sudo podman container restore <container_id>
[root@podman ~]# podman container restore -l
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
81254d9cc425 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 54 minutes ago Up 54 minutes ago 0.0.0.0:8080->8080/tcp dreamy_merkle
还原后,容器将像检查点之前一样再次应答请求。
[root@podman ~]# curl 10.88.0.3:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
迁移容器
要将容器从一个主机实时迁移到另一个主机,容器将在迁移的源系统上执行检查点操作,传输到目标系统,然后在目标系统上还原。传输检查点时,可以指定输出文件。
在源系统上:
sudo podman container checkpoint <container_id> -e /tmp/checkpoint.tar.gz
scp /tmp/checkpoint.tar.gz <destination_system>:/tmp
[root@podman ~]# podman container checkpoint -l -e /tmp/checkpoint.tar.gz
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# scp /tmp/checkpoint.tar.gz 192.168.118.137:/tmp
在目标系统上:
sudo podman container restore -i /tmp/checkpoint.tar.gz
[root@localhost ~]# podman container restore -i /tmp/checkpoint.tar.gz
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob d77ff9f653ce done
Copying blob aaf5ad2e1aa3 done
Copying blob 7692efc5f81c done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
还原后,web访问一下。
停止容器
要停止 httpd 容器,请执行以下操作:
[root@podman ~]# podman stop -l
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
81254d9cc425 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... About an hour ago Exited (0) 5 seconds ago 0.0.0.0:8080->8080/tcp dreamy_merkle
移除容器
删除 httpd 容器:
[root@podman ~]# podman rm -l
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
podman签名分发镜像推送到harbor仓库
签署容器镜像的动机是只信任专门的镜像提供者以减轻中间人 (MITM) 攻击或对容器注册表的攻击。签署图像的一种方法是使用 GNU Privacy Guard ( GPG ) 密钥。这种技术通常与任何符合 OCI 的容器注册表兼容,例如:Quay.io。值得一提的是,OpenShift 集成容器注册表开箱即用地支持这种签名机制,这使得单独的签名存储变得不必要。
从技术角度来看,我们可以利用 Podman 对镜像进行签名,然后再将其推送到远程注册表。之后,所有运行 Podman 的系统都必须配置为从远程服务器检索签名,远程服务器可以是任何简单的 Web 服务器。这意味着在图像拉取操作期间,每个未签名的图像都将被拒绝。但这是如何工作的?
首先,我们必须创建一个 GPG 密钥对或选择一个已经在本地可用的密钥对。要生成新的 GPG 密钥,只需运行gpg --full-gen-key并按照交互式对话框操作。现在我们应该能够验证密钥在本地是否存在:
[root@podman ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: daxinyu@317.com
Email address: daxinyu@317.com
Comment: dada
You selected this USER-ID:
"daxinyu@317.com (dada) <daxinyu@317.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
#设置秘钥,tab到ok回车,这里要输入2次密码,设置密码时大于8位数
┌─┐
│ Please enter the passphrase to │
│ protect your new key │
│ │
│ Passphrase: ***********
│ │
│ <OK> <Cancel> │
└─┘
┌─┐
│ Please re-enter this passphrase │
│ │
│ Passphrase: ***********
│ │
│ <OK> <Cancel> │
└─┘
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 790E0F879B594C6D marked as ultimately trusted
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/6C72C4A589A2A40906BCA7BE790E0F879B594C6D.rev'
public and secret key created and signed.
pub rsa2048 2022-08-15 [SC]
6C72C4A589A2A40906BCA7BE790E0F879B594C6D
uid daxinyu@317.com (dada) <daxinyu@317.com>
sub rsa2048 2022-08-15 [E]
[root@podman ~]# gpg --list-keys daxinyu@317.com
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
pub rsa2048 2022-08-15 [SC]
6C72C4A589A2A40906BCA7BE790E0F879B594C6D
uid [ultimate] daxinyu@317.com (dada) <daxinyu@317.com>
sub rsa2048 2022-08-15 [E]