无根用户管理podman

无根用户管理podman

在允许没有root特权的用户运行Podman之前,管理员必须安装或构建Podman并完成以下配置

基础设置

cgroup V2Linux内核功能允许用户限制普通用户容器可以使用的资源,如果使用cgroupV2启用了运行Podman的Linux发行版,则可能需要更改默认的OCI运行时。某些较旧的版本runc不适用于cgroupV2,必须切换到备用OCI运行时crun。

[root@localhost ~]# dnf -y install crun 			//centos8自带,可以直接进行安装
[root@localhost ~]# vim /usr/share/containers/containers.conf 
runtime = "crun"				//取消注释
#runtime = "runc"				//注释掉
//启动一个容器
[root@localhost ~]# podman run -d --name web nginx
Resolving "nginx" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob b4df32aa5a72 done  
Copying blob 589b7251471a done  
Copying blob a0bcbecc962e done  
Copying blob 186b1aaa4aa6 done  
Copying blob a2abf6c4d29d done  
Copying blob a9edb18cadd1 done  
Copying config 605c77e624 done  
Writing manifest to image destination
Storing signatures
230ef7f477fe7b5348bbef97ac6c28d3a38b2a535f5398b06b735530922d9634
[root@localhost ~]# podman ps
CONTAINER ID  IMAGE                           COMMAND               CREATED         STATUS             PORTS       NAMES
230ef7f477fe  docker.io/library/nginx:latest  nginx -g daemon o...  13 seconds ago  Up 13 seconds ago              web
[root@localhost ~]# podman inspect web | grep -i ociruntime
        "OCIRuntime": "crun",

安装slirp4netns和fuse-overlayfs

在普通用户环境中使用Podman时,建议使用fuse-overlayfs而不是VFS文件系统,至少需要版本0.7.6。现在新版本默认就是了

[root@localhost ~]# dnf -y install slirp4netns fuse-overlayfs
[root@localhost ~]# vim /etc/containers/storage.conf 
mount_program = "/usr/bin/fuse-overlayfs"			//取消注释

subuid和 subgid配置

Podman要求运行它的用户在/ etc / subuid和/ etc / subgid文件中列出一系列UID,shadow-utils或newuid包提供这些文件

[root@localhost ~]# yum -y install shadow-utils
//可以在/etc/ subuid和/etc/ subgid查看,每个用户的值必须唯一且没有任何重叠。
[[root@localhost ~]# useradd zz
[root@localhost ~]# cat /etc/subuid
zz:100000:65536
[root@localhost ~]# cat /etc/subgid
zz:100000:65536
[root@localhost ~]# 

//可以在/etc/subuid和/etc/subgid查看,每个用户的值必须唯一且没有任何重叠。
[root@localhost ~]# vim /etc/sysctl.conf 
net.ipve4.ping_group_range=0 200000				//添加此行,大于100000这个就表示tom可以操作podman

这个文件的格式是 USERNAME:UID:RANGE中/etc/passwd或输出中列出的用户名getpwent。

  • 为用户分配的初始 UID。
  • 为用户分配的 UID 范围的大小。

该usermod程序可用于为用户分配 UID 和 GID,而不是直接更新文件。

[root@localhost ~]# useradd xx
[root@localhost ~]# cat /etc/subuid /etc/subgid
zz:100000:65536
xx:165536:65536
zz:100000:65536
xx:165536:65536
[root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 xx
[root@localhost ~]# cat /etc/subuid /etc/subgid
zz:100000:65536
xx:165536:65536
zz:100000:65536
xx:165536:65536
[root@localhost ~]# usermod --del-subuids 165536-231072 --del-subgids 165536-231072 xx			//--del 删除
[root@localhost ~]# cat /etc/subuid /etc/subgid
zz:100000:65536
zz:100000:65536
[root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 xx			//--add 添加
[root@localhost ~]# cat /etc/subuid /etc/subgid
zz:100000:65536
xx:200000:1001
zz:100000:65536
xx:200000:1001

用户配置文件

三个主要的配置文件是container.confstorage.confregistries.conf。用户可以根据需要修改这些文件。

container.conf(容器配置文件)

//查看用户配置文件方法
[root@localhost ~]# cat /usr/share/containers/containers.conf 	//常用
//方法
[root@localhost ~]# cat /etc/containers/containers.conf			
[root@localhost ~]# cat ~/.config/containers/containers.conf	//优先级最高

如果它们以该顺序存在。每个文件都可以覆盖特定字段的前一个文件。

storage.conf(存储配文件)

1./etc/containers/storage.conf
2.$HOME/.config/containers/storage.conf

在普通用户中/etc/containers/storage.conf的一些字段将被忽略

[root@localhost ~]# vim /etc/containers/storage.conf 
//查找driver
driver = "overlay"			//此处为overlay
//查找mount_program
mount_program = "/usr/bin/fuse-overlayfs"		//取消注释

[root@localhost ~]# vim /etc/sysctl.conf 		//如果版本为8以下,则需要做,设置无根用户数量
user.max_user_namepaces=15000				//添加

在普通用户中这袭人默认字段

[root@localhost ~]# vim /etc/containers/storage.conf 
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"

registries.conf(仓库配置文件)

配置按此顺序读入,这些文件不是默认创建的,可以从/usr/share/containers或复制文件/etc/containers并进行修改。

1./etc/containers/registries.conf
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf

授权文件

此文件里面写了docker账号的密码,以加密方式显示

root用户和普通用户的docker账号和密码授权是相同的

[root@localhost ~]# podman login
Username: xinruizhong
Password: 
Login Succeeded!
[root@localhost ~]# find / -name auth.json
/run/user/0/containers/auth.json
[root@localhost ~]# cat /run/user/0/containers/auth.json 
{
        "auths": {
                "docker.io": {
                        "auth": "eGlucnVpemhvbmc6WnoyMDAyMDYyNS4u"
                }
        }
}
[root@localhost ~]# su - zz
[zz@localhost ~]$ podman login
Username: xinruizhong
Password: 
Login Succeeded!
[zz@localhost ~]$ find / -name auth.json
/tmp/podman-run-1000/containers/auth.json
[zz@localhost ~]$ cat /tmp/podman-run-1000/containers/auth.json 
{
        "auths": {
                "docker.io": {
                        "auth": "eGlucnVpemhvbmc6WnoyMDAyMDYyNS4u"
                }
        }
}
[zz@localhost ~]$ exit
logout
[root@localhost ~]# 

普通用户是无法看见root用户的镜像和容器

//root用户
[root@localhost ~]# podman images
REPOSITORY               TAG         IMAGE ID      CREATED       SIZE
docker.io/library/nginx  latest      605c77e624dd  7 months ago  146 MB
[root@localhost ~]# podman ps -a
CONTAINER ID  IMAGE                           COMMAND               CREATED      STATUS          PORTS       NAMES
230ef7f477fe  docker.io/library/nginx:latest  nginx -g daemon o...  2 hours ago  Up 2 hours ago              web

//普通用户
[root@localhost ~]# su - zz
Last login: Tue Aug 16 22:19:02 CST 2022 on pts/2
[zz@localhost ~]$ podman images
REPOSITORY  TAG         IMAGE ID    CREATED     SIZE
[zz@localhost ~]$ podman ps -a
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

root用户也是无法看见普通用户的镜像和容器的

//普通用户
[zz@localhost ~]$ podman pull httpd		//拉取镜像
Resolving "httpd" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob aed046121ed8 skipped: already exists  
Copying blob 4340e7be3d7f skipped: already exists  
Copying blob 80e368ef21fc skipped: already exists  
Copying blob 1efc276f4ff9 skipped: already exists  
Copying blob 80cb79a80bbe done  
Copying config f2a976f932 done  
Writing manifest to image destination
Storing signatures
f2a976f932ec6fe48978c1cdde2c8217a497b1f080c80e49049e02757302cf74
[zz@localhost ~]$ podman images
REPOSITORY               TAG         IMAGE ID      CREATED      SIZE
docker.io/library/httpd  latest      f2a976f932ec  2 weeks ago  149 MB
//创建容器
[zz@localhost ~]$ podman run -dit --name b1 -p 8080:80 httpd
b5cdee0cc511a7acc3e0174b3ad77c6117113c7111d0863dcd8e718a78fe6b6d
[zz@localhost ~]$ podman ps -a
CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS            PORTS                 NAMES
b5cdee0cc511  docker.io/library/httpd:latest  httpd-foreground  7 seconds ago  Up 7 seconds ago  0.0.0.0:8080->80/tcp  b1

//root用户
[root@localhost ~]# podman images
REPOSITORY               TAG         IMAGE ID      CREATED       SIZE
docker.io/library/nginx  latest      605c77e624dd  7 months ago  146 MB
[root@localhost ~]# podman ps -a
CONTAINER ID  IMAGE                           COMMAND               CREATED      STATUS          PORTS       NAMES
230ef7f477fe  docker.io/library/nginx:latest  nginx -g daemon o...  2 hours ago  Up 2 hours ago              web

  • 容器与root用户一起运行,则root容器中的用户实际上就是主机上的用户。
[zz@localhost ~]$ podman ps
CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS            PORTS                 NAMES
b5cdee0cc511  docker.io/library/httpd:latest  httpd-foreground  3 minutes ago  Up 3 minutes ago  0.0.0.0:8080->80/tcp  b1
[zz@localhost ~]$ podman exec -it b1 /bin/bash
root@b5cdee0cc511:/usr/local/apache2# id
uid=0(root) gid=0(root) groups=0(root)
  • UID GID是在/etc/subuid和/etc/subgid等中用户映射中指定的第一个UID GID。
  • 如果普通用户的身份从主机目录挂载到容器中,并在该目录中以根用户身份创建文件,则会看到它实际上是你的用户在主机上拥有的。

使用卷

[root@localhost ~]# su - zz
[zz@localhost ~]$ pwd 
/home/zz
[zz@localhost ~]$ mkdir /home/zz/abc

//‘/abc:Z’默认是z指示绑定安装内容在多个容器直接共享,Z选项指示绑定安装内容是使用的且未共享
[zz@localhost ~]$ podman run -dit --name zxr -v /home/zz/abc/:/abc:Z -p 8080:80 httpd
5f8c15de22474eecb4d24e729ea907ec26ff109ac69cc09020ed8e017843de97
[zz@localhost ~]$ podman exec -it zxr /bin/bash
root@5f8c15de2247:/usr/local/apache2# cd /abc/
root@5f8c15de2247:/abc# touch 123
root@5f8c15de2247:/abc# ls -l
total 0
drwxr-xr-x. 2 nobody nogroup 6 Aug 16 14:44 aaa

在主机上查看

[zz@localhost ~]$ ll abc/		//在zz用户中查看
total 0
-rw-r--r--. 1 zz zz 0 Aug 16 22:52 123

//在用户下写入文件
[zz@localhost ~]$ echo "hello world" >> abc/111
[zz@localhost ~]$ cat abc/111
hello world

查看容器

root@5f8c15de2247:/abc# ls
111  123
root@5f8c15de2247:/abc# cat 111
hello world

将容器中的目录和文件的属主和属组修改为zz

//只要在运行容器的时候加上一个--userns=keep-id即可。保持一直id
[zz@localhost ~]$ podman rm -f -l		
5f8c15de22474eecb4d24e729ea907ec26ff109ac69cc09020ed8e017843de97
[zz@localhost ~]$ podman ps -a
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES
[zz@localhost ~]$ podman run -dit --name zzz --userns=keep-id -v $(pwd)/abc:/abc:Z busybox
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 50783e0dfb64 done  
Copying config 7a80323521 done  
Writing manifest to image destination
Storing signatures
42c49ace20d71e2c2356029bef2c770279a6b35b68b69c83e6e443e9b0a0d61a
[zz@localhost ~]$ podman ps 
CONTAINER ID  IMAGE                             COMMAND     CREATED         STATUS             PORTS       NAMES
42c49ace20d7  docker.io/library/busybox:latest  sh          20 seconds ago  Up 20 seconds ago              zzz
[zz@localhost ~]$ podman exec -it zzz /bin/sh
~ $ cd abc/
/abc $ ls -l
total 4
-rw-rw-r--    1 zz       zz              12 Aug 16 14:55 111
-rw-r--r--    1 zz       zz               0 Aug 16 14:52 123

使用普通用户映射容器端口时会报“ permission denied”的错误

[zz@localhost ~]$ podman run -dit --name xxx -p 80:80 httpd
Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied

普通用户可以映射>= 1024的端口

[zz@localhost ~]$ podman rm -f xxx
804118df04eb0e049a187288d5a74429fba36db1e8ca25dcb114ec98627690fa
[zz@localhost ~]$ podman run -dit --name xxx -p 1024:80 httpd
73bb26b44db1487b0a95271fc8a833d63883c80b72b7225e432df6a4bb911b71
[zz@localhost ~]$ ss -anlt
State             Recv-Q            Send-Q                       Local Address:Port                       Peer Address:Port            Process            
LISTEN            0                 128                                0.0.0.0:22                              0.0.0.0:*                                  
LISTEN            0                 128                                   [::]:22                                 [::]:*                                  
LISTEN            0                 128                                      *:1024                                  *:*                                

配置echo ‘net.ipv4.ip_unprivileged_port_start=80’ >> /etc/sysctl.conf后可以映射大于等于80的端口

[root@localhost ~]# vim /etc/sysctl.conf 
net.ipv4.ip_unprivileged_port_start = 80			//在最后添加
[root@localhost ~]# sysctl -p   			//立即生效
net.ipv4.ip_unprivileged_port_start = 80

//为了演示效果把root用户下的80端口的容器删除
[root@localhost ~]# podman ps -a
CONTAINER ID  IMAGE                           COMMAND               CREATED      STATUS          PORTS       NAMES
230ef7f477fe  docker.io/library/nginx:latest  nginx -g daemon o...  3 hours ago  Up 3 hours ago              web
[root@localhost ~]# podman rm -f -l
230ef7f477fe7b5348bbef97ac6c28d3a38b2a535f5398b06b735530922d9634

//创建测试
[root@localhost ~]# podman run -dit --name xxx -p 80:80 httpd
498e966c5635f025be5e3236b8692562a65d3b547e15df8109a72f48295f2dc1
posted @ 2022-08-16 23:13  事愿人为  阅读(665)  评论(0编辑  收藏  举报