云网牛站
所在位置:首页 > Linux软件 > 安装以使用Podman可以在非root权限中运行Linux容器

安装以使用Podman可以在非root权限中运行Linux容器

2018-10-26 09:12:38作者:geekpi稿源:linuxcn站

使用 Docker 是管理 Linux 容器最好的工具之一,但是它需要在 root 权限中运行,这样可能存在安全风险,如果改用 Podman 则可以在非 root 权限中运行 Linux 容器,下面我们下载并安装使用 Podman 以达到目的。

 

Podman 简介

Podman 是一个容器运行时环境,提供与 Docker 非常相似的功能。正如已经提示的那样,它不需要在你的系统上运行任何守护进程,并且它也可以在没有 root 权限的情况下运行。

安装以使用Podman可以在非root权限中运行Linux容器

 

相关链接

Podman网站

libpod GitHub主页

 

安装 Podman

Podman 默认在 Silverblue 上提供,一个基于容器的工作流的新一代 Linux 工作站。要在任何 Fedora 版本上安装它,只需运行:

$ sudo dnf install podman

 

使用 Podman 运行容器

其中一个最简单的例子可能是运行 Fedora 容器,在命令行中打印 “Hello world!”:

$ podman run --rm -it fedora:28 echo "Hello world!"

使用通用 Dockerfile 构建镜像的方式与 Docker 相同:

$ cat Dockerfile

FROM fedora:28

RUN dnf -y install cowsay

$ podman build . -t hello-world

... output omitted ...

$ podman run --rm -it hello-world cowsay "Hello!"

为了构建容器,Podman 在后台调用另一个名为 Buildah 的工具。

除了构建和运行容器外,Podman 还可以与容器托管进行交互。要登录容器注册库,例如广泛使用的 Docker Hub,请运行:

$ podman login docker.io

为了推送我刚刚构建的镜像,我只需打上标记来代表特定的容器注册库,然后直接推送它。

$ podman -t hello-world docker.io/asamalik/hello-world

$ podman push docker.io/asamalik/hello-world

顺便说一下,要注意到我是如何以非 root 用户身份运行所有内容的,此外,我的系统上没有运行又大又重的守护进程。

 

附:Basic Setup and Use of Podman

Podman is a utility provided as part of the libpod library. It can be used to create and maintain containers. The following tutorial will teach you how to set up Podman and perform some basic commands with Podman.

1.Install Podman on Fedora from RPM Repositories

Fedora 27 and later provide Podman via the package manager.

$ sudo dnf install -y podman

2.Install Podman on Fedora from Source

Many of the basic components to run Podman are readily available from the Fedora RPM repositories. In this section, we will help you install all the runtime and build dependencies for Podman, acquire the source, and build it.

3.Installing build and runtime dependencies

$ sudo dnf install -y git runc libassuan-devel golang golang-github-cpuguy83-go-md2man glibc-static \

 gpgme-devel glib2-devel device-mapper-devel libseccomp-devel \

 atomic-registries iptables skopeo-containers containernetworking-cni \

 conmon

4.Building and installing podman

First, configure a GOPATH (if you are using go1.8 or later, this defaults to ~/go), then clone and make libpod.

$ export GOPATH=~/go

$ mkdir -p $GOPATH

$ git clone https://github.com/containers/libpod/ $GOPATH/src/github.com/containers/libpod

$ cd $GOPATH/src/github.com/containers/libpod

$ make

$ sudo make install PREFIX=/usr

You now have a working podman environment.

5.Install podman on Ubuntu

The default Ubuntu cloud image size will not allow for the following exercise to be done without increasing its capacity. Be sure to add at least 5GB to the image. Instructions to do this are outside the scope of this tutorial. For this tutorial, the Ubuntu artful-server-cloudimg image was used.

6.Installing build and runtime dependencies

Installing base packages

$ sudo apt-get update

$ sudo apt-get install libdevmapper-dev libglib2.0-dev libgpgme11-dev golang libseccomp-dev \

 go-md2man libprotobuf-dev libprotobuf-c0-dev libseccomp-dev python3-setuptools

8.Building and installing conmon

First, configure a GOPATH (if you are using go1.8 or later, this defaults to ~/go), then clone and make libpod.

$ export GOPATH=~/go

$ mkdir -p $GOPATH

$ git clone https://github.com/kubernetes-sigs/cri-o $GOPATH/src/github.com/kubernetes-sigs/cri-o

$ cd $GOPATH/src/github.com/kubernetes-sigs/cri-o

$ mkdir bin

$ make bin/conmon

$ sudo install -D -m 755 bin/conmon /usr/libexec/podman/conmon

9.Adding required configuration files

$ sudo mkdir -p /etc/containers

$ sudo curl https://raw.githubusercontent.com/projectatomic/registries/master/registries.fedora -o /etc/containers/registries.conf

$ sudo curl https://raw.githubusercontent.com/containers/skopeo/master/default-policy.json -o /etc/containers/policy.json

10.Installing CNI plugins

$ git clone https://github.com/containernetworking/plugins.git $GOPATH/src/github.com/containernetworking/plugins

$ cd $GOPATH/src/github.com/containernetworking/plugins

$ ./build.sh

$ sudo mkdir -p /usr/libexec/cni

$ sudo cp bin/* /usr/libexec/cni

11.Installing runc

$ git clone https://github.com/opencontainers/runc.git $GOPATH/src/github.com/opencontainers/runc

$ cd $GOPATH/src/github.com/opencontainers/runc

$ make BUILDTAGS="seccomp"

$ sudo cp runc /usr/bin/runc

12.Building and installing Podman

$ git clone https://github.com/containers/libpod/ $GOPATH/src/github.com/containers/libpod

$ cd $GOPATH/src/github.com/containers/libpod

$ make

$ sudo make install PREFIX=/usr

13.Familiarizing yourself with Podman

Running a sample container

This sample container will run a very basic httpd server that serves only its index page.

$ sudo podman run -dt -e HTTPD_VAR_RUN=/var/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \

 -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \

 -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \

 registry.fedoraproject.org/f27/httpd /usr/bin/run-httpd

Because the container is being run in detached mode, represented by the -d in the podman run command, podman will print the container ID after it has run.

14.Listing running containers

The Podman ps command is used to list creating and running containers.

$ sudo podman ps

Note: If you add -a to the ps command, Podman will show all containers.

15.Inspecting a running container

You can "inspect" a running container for metadata and details about itself. We can even use the inspect subcommand to see what IP address was assigned to the container.

$ sudo podman inspect -l | grep IPAddress\":

 "IPAddress": "10.88.6.140",

Note: The -l is convenience arguement for latest container. You can also use the container's ID instead of -l.

16.Testing the httpd server

Now that we have the IP address of the container, we can test the network communication between the host operating system and the container using curl. The following command should display the index page of our containerized httpd server.

# curl http://<IP_address>:8080

17.Viewing the container's logs

You can view the container's logs with Podman as well:

$ sudo podman logs --latest

10.88.0.1 - - [26/Oct/2018:8:22:11 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.55.1" "-"

10.88.0.1 - - [26/Oct/2018:8:22:30 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.55.1" "-"

10.88.0.1 - - [26/Oct/2018:8:22:30 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.55.1" "-"

10.88.0.1 - - [26/Oct/2018:8:22:31 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.55.1" "-"

10.88.0.1 - - [26/Oct/2018:8:22:31 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.55.1" "-"

18.Viewing the container's pids

And you can observe the httpd pid in the container with top.

$ sudo podman top <container_id>

19.Checkpointing the container

Checkpointing a container stops the container while writing the state of all processes in the container to disk. With this a container can later be restored and continue running at exactly the same point in time as the checkpoint. This capability requires CRIU 3.11 or later installed on the system. To checkpoint the container use:

$ sudo podman container checkpoint <container_id>

20.Restoring the container

Restoring a container is only possible for a previously checkpointed container. The restored container will continue to run at exactly the same point in time it was checkpointed. To restore the container use:

$ sudo podman container restore <container_id>

After being restored, the container will answer requests again as it did before checkpointing.

# curl http://<IP_address>:8080

21.Stopping the container

To stop the httpd container:

$ sudo podman stop --latest

You can also check the status of one or more containers using the ps subcommand. In this case, we should use the -a argument to list all containers.

$ sudo podman ps -a

22.Removing the container

To remove the httpd container:

$ sudo podman rm --latest

You can verify the deletion of the container by running podman ps -a.

 

相关主题

Linux容器 vs 虚拟机,谁更胜一筹

精选文章
热门文章