Podman签名和分发镜像
- 基本操作命令
- 如何使用 Podman 签名和分发容器镜像:
基本操作命令
链接: 官方文档
#管理容器
[root@localhost ~]# podman container --help
Manage containers
Description:
Manage containers
Usage:
podman container [command]
#在容器和本地文件系统之间复制文件/文件夹
[root@localhost ~]# podman run -it centos
[root@593692583e33 /]# ls
bin etc lib lost+found mnt proc run srv tmp var
dev home lib64 media opt root sbin sys usr
#另外一端口操作
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
593692583e33 quay.io/centos/centos:latest /bin/bash 12 seconds ago Up 12 seconds ago ecstatic_cray
[root@localhost ~]# ls
anaconda-ks.cfg apr-1.6.5.tar.gz apr-util-1.6.1.tar.gz data httpd-2.4.54.tar.gz
[root@localhost ~]# podman cp anaconda-ks.cfg 593692583e33:/
[root@localhost ~]#
文件复制到容器中了
[root@593692583e33 /]# ls
anaconda-ks.cfg dev home lib64 media opt root sbin sys usr
bin etc lib lost+found mnt proc run srv tmp var
[root@593692583e33 /]#
#还可以把容器文件复制到本地系统当中去
[root@593692583e33 /]# ls
anaconda-ks.cfg dev home lib64 media opt root sbin sys usr
bin etc lib lost+found mnt proc run srv tmp var
[root@593692583e33 /]#
#复制到/pot
[root@localhost ~]# ls /opt/
containerd
[root@localhost ~]# podman cp 593692583e33:/anaconda-ks.cfg /opt/
[root@localhost ~]# ls /opt/
anaconda-ks.cfg containerd
[root@localhost ~]#
#创建但不启动容器
[root@localhost ~]# podman create --name web httpd
965a5673a83aa9fcd5361fe8591f7a052f1536131a35e057b673cab349f071be
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
593692583e33 quay.io/centos/centos:latest /bin/bash 4 minutes ago Exited (0) 13 seconds ago ecstatic_cray
965a5673a83a docker.io/library/httpd:latest httpd-foreground 7 seconds ago Created web
[root@localhost ~]#
#检查容器文件系统上的更改,注意要运行中的容器
[root@localhost ~]# podman diff web
C /usr
C /usr/local
C /usr/local/apache2
C /usr/local/apache2/logs
A /usr/local/apache2/logs/httpd.pid
C /etc
[root@localhost ~]#
#显示播客事件
[root@localhost ~]# podman events
2022-08-15 19:34:06.600389793 +0800 CST container exec 593692583e332e6e1a956c46b06f2ad8d6464ebe760ab32c920b9a856ffbffae (image=quay.io/centos/centos:latest, name=ecstatic_cray, org.label-schema.schema-version=1.0, org.label-schema.vendor=CentOS, org.label-schema.build-date=20201204, org.label-schema.license=GPLv2, org.label-schema.name=CentOS Base Image)
在正在运行的容器中运行进程
[root@localhost ~]# podman exec -it 593692583e33 /bin/sh
sh-4.4# ls
anaconda-ks.cfg dev home lib64 media opt root sbin sys usr
bin etc lib lost+found mnt proc run srv tmp var
sh-4.4#
#附加到正在运行的容器
[root@localhost ~]# podman exec -it 593692583e33 /bin/sh
sh-4.4#
[root@593692583e33 /]# ls
anaconda-ks.cfg dev home lib64 media opt root sbin sys usr
bin etc lib lost+found mnt proc run srv tmp var
[root@593692583e33 /]#
#显示指定图像的
[root@localhost ~]# podman history httpd
ID CREATED CREATED BY SIZE COMMENT
dabbfbe0c57b 7 months ago /bin/sh -c #(nop) CMD ["httpd-foreground"] 0 B
<missing> 7 months ago /bin/sh -c #(nop) EXPOSE 80 0 B
<missing> 7 months ago /bin/sh -c #(nop) COPY file:c432ff61c4993e... 3.58 kB
<missing> 7 months ago /bin/sh -c #(nop) STOPSIGNAL SIGWINCH 0 B
<missing> 7 months ago /bin/sh -c set -eux; savedAptMark="$(apt... 61.1 MB
<missing> 7 months ago /bin/sh -c #(nop) ENV HTTPD_PATCHES= 0 B
<missing> 7 months ago /bin/sh -c #(nop) ENV HTTPD_SHA256=0127f7... 0 B
<missing> 7 months ago /bin/sh -c #(nop) ENV HTTPD_VERSION=2.4.52 0 B
<missing> 7 months ago /bin/sh -c set -eux; apt-get update; apt... 2.72 MB
<missing> 7 months ago /bin/sh -c #(nop) WORKDIR /usr/local/apache2 0 B
<missing> 7 months ago /bin/sh -c mkdir -p "$HTTPD_PREFIX" && ch... 3.07 kB
<missing> 7 months ago /bin/sh -c #(nop) ENV PATH=/usr/local/apa... 0 B
<missing> 7 months ago /bin/sh -c #(nop) ENV HTTPD_PREFIX=/usr/l... 0 B
<missing> 7 months ago /bin/sh -c #(nop) CMD ["bash"] 0 B
<missing> 7 months ago /bin/sh -c #(nop) ADD file:09675d11695f65c... 83.9 MB
[root@localhost ~]#
#列出本地存储中的图像
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest beae173ccac6 7 months ago 1.46 MB
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
quay.io/centos/centos latest 300e315adb2f 20 months ago 217 MB
[root@localhost ~]#
#用特定的信号杀死一个或多个正在运行的容器
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
593692583e33 quay.io/centos/centos:latest /bin/bash 20 minutes ago Exited (0) 43 seconds ago ecstatic_cray
965a5673a83a docker.io/library/httpd:latest httpd-foreground 16 minutes ago Up 13 minutes ago web
[root@localhost ~]# podman kill 965a5673a83a
965a5673a83a
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
593692583e33 quay.io/centos/centos:latest /bin/bash 21 minutes ago Exited (0) About a minute ago ecstatic_cray
965a5673a83a docker.io/library/httpd:latest httpd-foreground 17 minutes ago Exited (137) 5 seconds ago web
#管理网络
[root@localhost ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
[root@localhost ~]#
#generate 生成结构化数据
[root@localhost ~]# podman generate --help
Usage:
podman generate [command]
Available Commands:
kube Generate Kubernetes YAML from containers, pods or volumes.
systemd Generate systemd units.
#这里需要了解自己的操作系统是什么,本机是Linux使用使用systemd
#运行一个容器,然后设置运行方式,这里是开机自启,创建一个新的容器
[root@localhost ~]# podman run -d --name web -p 80:80 httpd
3dedf5b78396d7dbe7901821c134b36e7744ffd217f87a1d399f1c9d745c5195
[root@localhost ~]# podman generate systemd --name web --files --new
/root/container-web.service
[root@localhost ~]# vim /root/container-web.service
#container-web.service
#autogenerated by Podman 3.3.1
#Mon Aug 15 21:41:30 CST 2022
[Unit]
Description=Podman container-web.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
#查看这个启动方法
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/%n.ctr-id
ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --sdnotify=conmon --cgroups=no-conmon --rm --replace -d --name web -p 80:80 httpd
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
Type=notify
"~/container-web.service" 24L, 735C
[root@localhost ~]# cp container-web.service /usr/lib/systemd/system/
[root@localhost ~]# systemctl status container-web.service
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.service; disabled; vendor preset: >
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
[root@localhost ~]#
[root@localhost ~]# podman rm -f web
3dedf5b78396d7dbe7901821c134b36e7744ffd217f87a1d399f1c9d745c5195
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
#复制配置文件
[root@localhost ~]# systemctl status container-web.service
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.service; disabled; vendor preset: >
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
[root@localhost ~]#
[root@localhost ~]# podman rm -f web
3dedf5b78396d7dbe7901821c134b36e7744ffd217f87a1d399f1c9d745c5195
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
#删除容器后配置还在
[root@localhost ~]# systemctl status container-web.service
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.service; disabled; vendor preset: >
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
#启动,并开机自启
[root@localhost ~]# systemctl enable --now container-web
Created symlink /etc/systemd/system/multi-user.target.wants/container-web.service → /usr/lib/systemd/system/container-web.service.
Created symlink /etc/systemd/system/default.target.wants/container-web.service → /usr/lib/systemd/system/container-web.service.
[root@localhost ~]# systemctl status container-web.service
● container-web.service - Podman container-web.service #已经启动了
Loaded: loaded (/usr/lib/systemd/system/container-web.service; enabled; vendor preset: d>
Active: active (running) since Mon 2022-08-15 21:36:35 CST; 22s ago
Docs: man:podman-generate-systemd(1)
Process: 2001 ExecStartPre=/bin/rm -f /run/container-web.service.ctr-id (code=exited, sta>
Main PID: 2152 (conmon)
Tasks: 2 (limit: 49288)
Memory: 18.9M
CGroup: /system.slice/container-web.service
└─2152 /usr/bin/conmon --api-version 1 -c 5ba15184674548147af146a80cf1c277f0ed45>
Aug 15 21:36:33 localhost systemd[1]: Starting Podman container-web.service...
Aug 15 21:36:35 localhost systemd[1]: Started Podman container-web.service.
Aug 15 21:36:35 localhost podman[2003]: 5ba15184674548147af146a80cf1c277f0ed45c99909a690209>
#容器也自动启动
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5ba151846745 docker.io/library/httpd:latest httpd-foreground About a minute ago Up About a minute ago 0.0.0.0:80->80/tcp web
[root@localhost ~]#
#如果服务停掉,容器就会消失
[root@localhost ~]# systemctl stop container-web
[root@localhost ~]# systemctl status container-web
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.service; enabled; vendor preset: d>
Active: inactive (dead) since Mon 2022-08-15 21:39:45 CST; 9s ago
Docs: man:podman-generate-systemd(1)
Process: 2387 ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=/run/container-web.se>
Process: 2312 ExecStop=/usr/bin/podman stop --ignore --cidfile=/run/container-web.service>
Process: 2152 ExecStart=/usr/bin/podman run --cidfile=/run/container-web.service.ctr-id ->
Process: 2001 ExecStartPre=/bin/rm -f /run/container-web.service.ctr-id (code=exited, sta>
Main PID: 2152 (code=exited, status=0/SUCCESS)
Aug 15 21:36:33 localhost systemd[1]: Starting Podman container-web.service...
Aug 15 21:36:35 localhost systemd[1]: Started Podman container-web.service.
Aug 15 21:36:35 localhost podman[2003]: 5ba15184674548147af146a80cf1c277f0ed45c99909a690209>
Aug 15 21:39:44 localhost systemd[1]: Stopping Podman container-web.service...
Aug 15 21:39:45 localhost podman[2312]: 5ba15184674548147af146a80cf1c277f0ed45c99909a690209>
Aug 15 21:39:45 localhost podman[2387]: 5ba15184674548147af146a80cf1c277f0ed45c99909a690209>
Aug 15 21:39:45 localhost systemd[1]: container-web.service: Succeeded.
Aug 15 21:39:45 localhost systemd[1]: Stopped Podman container-web.service.
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
#重新启动虚拟机,因为设置开机自启会重新启动服务运行新的一个容器
[root@localhost ~]# reboot
[root@localhost ~]# systemctl status container-web
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.service; enabled; vendor preset: d>
Active: active (running) since Mon 2022-08-15 21:42:27 CST; 24s ago
Docs: man:podman-generate-systemd(1)
Process: 1208 ExecStartPre=/bin/rm -f /run/container-web.service.ctr-id (code=exited, sta>
Main PID: 1608 (conmon)
Tasks: 2 (limit: 49288)
Memory: 75.6M
CGroup: /system.slice/container-web.service
└─1608 /usr/bin/conmon --api-version 1 -c c07f22b79c3e4a052738c152bd6630cafed862>
Aug 15 21:42:25 localhost systemd[1]: Starting Podman container-web.service...
Aug 15 21:42:27 localhost systemd[1]: Started Podman container-web.service.
Aug 15 21:42:27 localhost podman[1210]: c07f22b79c3e4a052738c152bd6630cafed862698a95f81b21b>
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c07f22b79c3e docker.io/library/httpd:latest httpd-foreground 33 seconds ago Up 32 seconds ago 0.0.0.0:80->80/tcp web
#删除配置文件,取消--new创建新的命令,重新配置一个新的命令
[root@localhost ~]# rm -rf container-web.service
[root@localhost ~]# podman generate systemd --name web --files
/root/container-web.service
[root@localhost ~]# vim container-web.service
#container-web.service
#autogenerated by Podman 3.3.1
#Mon Aug 15 22:30:10 CST 2022
[Unit]
Description=Podman container-web.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=/run/containers/storage
#配置文件的启动方法和刚才的完全不太,是不会创建新的容器,开启或关闭创建的容器是一个不变的,
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman start web
ExecStop=/usr/bin/podman stop -t 10 web
ExecStopPost=/usr/bin/podman stop -t 10 web
PIDFile=/run/containers/storage/overlay-containers/c07f22b79c3e4a052738c152bd6630cafed862698a95f81b21b76a1756e54243/userdata/conmon.pid
Type=forking
#查看日志文件,这个是运行web但没有访问,查看后访问web地址然后查看日志
[root@localhost ~]# podman logs web
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.2. Set the 'ServerName' directive globally to suppress this message
[Mon Aug 15 13:42:27.995161 2022] [mpm_event:notice] [pid 1:tid 140499173719360] AH00489: Apache/2.4.52 (Unix) configured -- resuming normal operations
[Mon Aug 15 13:42:27.999668 2022] [core:notice] [pid 1:tid 140499173719360] AH00094: Command line: 'httpd -D FOREGROUND'
[root@localhost ~]# podman logs web
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.2. Set the 'ServerName' directive globally to suppress this message
[Mon Aug 15 13:42:27.995161 2022] [mpm_event:notice] [pid 1:tid 140499173719360] AH00489: Apache/2.4.52 (Unix) configured -- resuming normal operations
[Mon Aug 15 13:42:27.999668 2022] [core:notice] [pid 1:tid 140499173719360] AH00094: Command line: 'httpd -D FOREGROUND'
192.168.141.1 - - [15/Aug/2022:13:53:14 +0000] "GET / HTTP/1.1" 200 45
192.168.141.1 - - [15/Aug/2022:13:53:14 +0000] "GET /favicon.ico HTTP/1.1" 404 196
192.168.141.1 - - [15/Aug/2022:13:53:34 +0000] "GET / HTTP/1.1" 304 -
#重新查看就会发现访问了两次
#列出容器端口号
[root@localhost ~]# podman port web
80/tcp -> 0.0.0.0:80
[root@localhost ~]#
#容器重命名,但配置文件没有改名关闭重启还是web
[root@localhost ~]# podman rename web myweb
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c07f22b79c3e docker.io/library/httpd:latest httpd-foreground 15 minutes ago Up 15 minutes ago 0.0.0.0:80->80/tcp myweb
[root@localhost ~]# cat container-web.service
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman start web #还是web,需要修改才能成功修改名字
ExecStop=/usr/bin/podman stop -t 10 web
ExecStopPost=/usr/bin/podman stop -t 10 web
PIDFile=/run/containers/storage/overlay-containers/c07f22b79c3e4a052738c152bd6630cafed862698a95f81b21b76a1756e54243/userdata/conmon.pid
Type=forking
#查看容器运行状态,因为刚才修改名字了所以是myweb
[root@localhost ~]# podman stats myweb
ID NAME CPU % MEM USAGE / LIMIT MEM % NET IO BLOCK IO PIDS CPU TIME AVG CPU %
c07f22b79c3e myweb 0.01% 47.75MB / 8.117GB 0.59% 3.216kB / 4.887kB 17.34MB / 0B 109 868.831484ms 0.00%
#查看使用磁盘空间的命令,是统计podman的使用
[root@localhost ~]# podman system df
TYPE TOTAL ACTIVE SIZE RECLAIMABLE
Images 3 1 365.7MB 218MB (0%)
Containers 1 1 14B 0B (0%)
Local Volumes 0 0 0B 0B (0%)
[root@localhost ~]#
#显示容器正在运行的进程
[root@localhost ~]# podman top myweb
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 27m16.921177663s ? 0s httpd -DFOREGROUND
www-data 9 1 0.000 27m15.921668712s ? 0s httpd -DFOREGROUND
www-data 10 1 0.000 27m15.921732002s ? 0s httpd -DFOREGROUND
www-data 11 1 0.000 27m15.921785132s ? 0s httpd -DFOREGROUND
www-data 93 1 0.000 15m36.921837451s ? 0s httpd -DFOREGROUND
[root@localhost ~]#
#取消容器挂载,只有运用在访问,一般不取消挂载,取消挂载就取消了rootfs层,然后就无法进入了,但还在运行
[root@localhost ~]# podman unmount myweb
[root@localhost ~]# podman exec -it myweb /bin/bash
Error: exec failed: container_linux.go:380: starting container process caused: process_linux.go:99: starting setns process caused: fork/exec /proc/self/exe: no such file or directory: OCI runtime attempted to invoke a command that was not found
[root@localhost ~]# curl 192.168.141.135
<html><body><h1>It works!</h1></body></html>
#重新挂载,容器的配置目录重新挂载在虚拟机中,然后可以进入容器了
[root@localhost ~]# podman mount myweb
/var/lib/containers/storage/overlay/7fa816138f9075c87d9e9a30ce5fb890f5f32769b26db150c03a0d810f68a644/merged
[root@localhost ~]# ls /var/lib/containers/storage/overlay/7fa816138f9075c87d9e9a30ce5fb890f5f32769b26db150c03a0d810f68a644/merged
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
[root@localhost ~]# podman exec -it myweb /bin/bash
root@c07f22b79c3e:/usr/local/apache2# ls
bin build cgi-bin conf error htdocs icons include logs modules
root@c07f22b79c3e:/usr/local/apache2#
#查看版本号
[root@localhost ~]# podman version
Version: 3.3.1
API Version: 3.3.1
Go Version: go1.16.7
Built: Wed Nov 10 05:23:56 2021
OS/Arch: linux/amd64
[root@localhost ~]#
#配置卷,按照需要create创建,exists查看存在,rm删除
[root@localhost ~]# podman volume --help
#停止最后一个创建的容器
[root@localhost ~]# podman run -itd busybox
93fc1eba609879546350345769db5bc24ce2f7144d8ba1fa02d5c663fde26c9a
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c07f22b79c3e docker.io/library/httpd:latest httpd-foreground 46 minutes ago Up 46 minutes ago 0.0.0.0:80->80/tcp myweb
93fc1eba6098 docker.io/library/busybox:latest sh 6 seconds ago Up 6 seconds ago determined_wilbur
[root@localhost ~]# podman stop -l #停止最新创建的容器
93fc1eba609879546350345769db5bc24ce2f7144d8ba1fa02d5c663fde26c9a
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c07f22b79c3e docker.io/library/httpd:latest httpd-foreground 47 minutes ago Up 47 minutes ago 0.0.0.0:80->80/tcp myweb
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c07f22b79c3e docker.io/library/httpd:latest httpd-foreground 48 minutes ago Up 48 minutes ago 0.0.0.0:80->80/tcp myweb
93fc1eba6098 docker.io/library/busybox:latest sh About a minute ago Exited (137) About a minute ago determined_wilbur
#About a minute ago 最新启动
#通过-l重新启动最新的容器
[root@localhost ~]# podman start -l
93fc1eba609879546350345769db5bc24ce2f7144d8ba1fa02d5c663fde26c9a
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c07f22b79c3e docker.io/library/httpd:latest httpd-foreground 49 minutes ago Up 49 minutes ago 0.0.0.0:80->80/tcp myweb
93fc1eba6098 docker.io/library/busybox:latest sh 2 minutes ago Up 4 seconds ago determined_wilbur
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c07f22b79c3e docker.io/library/httpd:latest httpd-foreground 49 minutes ago Up 49 minutes ago 0.0.0.0:80->80/tcp myweb
93fc1eba6098 docker.io/library/busybox:latest sh 2 minutes ago Up 10 seconds ago determined_wilbur
[root@localhost ~]#
#注意停止和重启,在同一时间创建的容器,只针对最后一个容器
[root@localhost ~]# podman run -itd busybox
aaecc6385cfa3848f9e4df19551ee11b8606dcf2c2c2fda14f7b07d6df55459b
[root@localhost ~]# podman run -itd busybox
e58b5ed001a5c77782a4605ea5413e4c99647a2b5f4b2ea88cb8aee13ebf5171
[root@localhost ~]# podman run -itd busybox
0058fa9a292916ec2184a0b8eca3af41cdce428cff9a57a92505dffc5daf7448
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c07f22b79c3e docker.io/library/httpd:latest httpd-foreground 54 minutes ago Up 54 minutes ago 0.0.0.0:80->80/tcp myweb
93fc1eba6098 docker.io/library/busybox:latest sh 8 minutes ago Up 5 minutes ago determined_wilbur
aaecc6385cfa docker.io/library/busybox:latest sh About a minute ago Up About a minute ago great_buck
e58b5ed001a5 docker.io/library/busybox:latest sh 57 seconds ago Up 56 seconds ago confident_hertz
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c07f22b79c3e docker.io/library/httpd:latest httpd-foreground 55 minutes ago Up 55 minutes ago 0.0.0.0:80->80/tcp myweb
93fc1eba6098 docker.io/library/busybox:latest sh 8 minutes ago Up 5 minutes ago determined_wilbur
aaecc6385cfa docker.io/library/busybox:latest sh About a minute ago Up About a minute ago great_buck
e58b5ed001a5 docker.io/library/busybox:latest sh About a minute ago Up 59 seconds ago confident_hertz
0058fa9a2929 docker.io/library/busybox:latest sh 57 seconds ago Exited (137) 14 seconds ago modest_feynman
#停止和重启只是指定最后一个容器
[root@localhost ~]# podman stop -l
0058fa9a292916ec2184a0b8eca3af41cdce428cff9a57a92505dffc5daf7448
[root@localhost ~]# podman stop -l
0058fa9a292916ec2184a0b8eca3af41cdce428cff9a57a92505dffc5daf7448
[root@localhost ~]# podman stop -l
0058fa9a292916ec2184a0b8eca3af41cdce428cff9a57a92505dffc5daf7448
[root@localhost ~]# podman start -l
0058fa9a292916ec2184a0b8eca3af41cdce428cff9a57a92505dffc5daf7448
[root@localhost ~]#
#删除时添加-l也是只删除最后一个,但删除一个会自动指定上一个容器
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c07f22b79c3e docker.io/library/httpd:latest httpd-foreground 57 minutes ago Up 57 minutes ago 0.0.0.0:80->80/tcp myweb
93fc1eba6098 docker.io/library/busybox:latest sh 10 minutes ago Up 8 minutes ago determined_wilbur
aaecc6385cfa docker.io/library/busybox:latest sh 3 minutes ago Up 3 minutes ago great_buck
e58b5ed001a5 docker.io/library/busybox:latest sh 3 minutes ago Up 3 minutes ago confident_hertz
0058fa9a2929 docker.io/library/busybox:latest sh 3 minutes ago Up About a minute ago modest_feynman
[root@localhost ~]# podman rm -fl
0058fa9a292916ec2184a0b8eca3af41cdce428cff9a57a92505dffc5daf7448
[root@localhost ~]# podman rm -fl
e58b5ed001a5c77782a4605ea5413e4c99647a2b5f4b2ea88cb8aee13ebf5171
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c07f22b79c3e docker.io/library/httpd:latest httpd-foreground 58 minutes ago Up 58 minutes ago 0.0.0.0:80->80/tcp myweb
93fc1eba6098 docker.io/library/busybox:latest sh 11 minutes ago Up 9 minutes ago determined_wilbur
aaecc6385cfa docker.io/library/busybox:latest sh 4 minutes ago Up 4 minutes ago great_buck
[root@localhost ~]#如何使用 Podman 签名和分发容器镜像:
链接: 官方链接
签署容器镜像的动机是只信任专门的镜像提供者以减轻中间人 (MITM或对容器注册表的。签署图像的一种方法是使用 GNU Privacy Guard ( GPG ) 密钥。这种技术通常与任何符合 OCI 的容器注册表兼容,例如Quay.io。值得一提的是,OpenShift 集成容器注册表开箱即用地支持这种签名机制,这使得单独的签名存储变得不必要。
从技术角度来看,我们可以利用 Podman 对镜像进行签名,然后再将其推送到远程注册表。之后,所有运行 Podman 的系统都必须配置为从远程服务器检索签名,远程服务器可以是任何简单的 Web 服务器。这意味着在图像拉取操作期间,每个未签名的图像都将被拒绝。
#首先,我们必须创建一个 GPG 密钥对或选择一个已经在本地可用的密钥对。
#要生成新的 GPG 密钥,只需运行gpg --full-gen-key并按照交互式对话框操作。
#现在我们应该能够验证密钥在本地是否存在:
[root@localhost ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: lin@163.com
Email address: lin@163.com
Comment: lin
You selected this USER-ID:
"lin@163.com (lin) <lin@163.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key DDEDB97142D7C1EB marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/D7873AC8DAB5AA435B1C9E21DDEDB97142D7C1EB.rev'
public and secret key created and signed.
pub rsa2048 2022-08-16 [SC]
D7873AC8DAB5AA435B1C9E21DDEDB97142D7C1EB
uid lin@163.com (lin) <lin@163.com>
sub rsa2048 2022-08-16 [E]
[root@localhost ~]#
#验证密钥在本地是否存在:
[root@localhost ~]# gpg --list-keys lin@163.com
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub rsa2048 2022-08-16 [SC]
D7873AC8DAB5AA435B1C9E21DDEDB97142D7C1EB
uid [ultimate] lin@163.com (lin) <lin@163.com>
sub rsa2048 2022-08-16 [E]
[root@localhost ~]#
#现在让我们假设我们运行一个容器注册表。例如,我们可以简单地在本地机器上启动一个:
[root@localhost ~]# podman run -d -p 5000:5000 docker.io/registry
Trying to pull docker.io/library/registry:latest...
Getting image source signatures
Copying blob 3790aef225b9 done
Copying blob e2ead8259a04 done
Copying blob 79e9f2f55bf5 done
Copying blob 0d96da54f60b done
Copying blob 5b27040df4a2 done
Copying config b8604a3fe8 done
Writing manifest to image destination
Storing signatures
c6affde22941b9b4950169a91635121c980b62201f2b359c12b79142551e9fcb
#注册表对镜像签名一无所知,它只是为容器镜像提供远程存储。这意味着如果我们想要对图像进行签名,我们必须注意如何分发签名。
#alpine让我们为我们的签名实验选择一个标准图像:
[root@localhost ~]# podman pull docker://docker.io/alpine:latest
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 59bf1c3509f3 done
Copying config c059bfaa84 done
Writing manifest to image destination
Storing signatures
c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
#查看镜像
[root@localhost ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
#现在我们可以重新标记图像以将其指向我们的本地注册表:
[root@localhost ~]# podman tag alpine localhost:5000/alpine
[root@localhost ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
localhost:5000/alpine latest c059bfaa849c 8 months ago 5.87 MB
#Podman 现在可以通过一个命令推送图像并对其进行签名。
#但是要让它工作,我们必须在以下位置修改我们的系统范围的注册表配置
#/etc/containers/registries.d/default.yaml:
[root@localhost ~]# vim /etc/containers/registries.d/default.yaml
# This is the default signature write location for docker registries.
default-docker:
# sigstore: file:///var/lib/containers/sigstore
sigstore: http://localhost:8000 #在这里添加
sigstore-staging: file:///var/lib/containers/sigstore
#现在,让我们推送并签署图像:
[root@localhost ~]# podman push \
> --tls-verify=false \
> --sign-by lin@163.com \
> localhost:5000/alpine
Please enter the passphrase to unlock the OpenPGP secret key: x
x "lin@163.com (lin) <lin@163.com>" x
x 2048-bit RSA key, ID 5871592AC4637858, x
x created 2022-08-15. x
x x
x x
x Passphrase: *********_________________________________________ x
x x
x <OK> <Cancel> x
#输入登录密码
[root@localhost ~]# podman push --tls-verify=false --sign-by lin@163.com localhost:5000/alpine
Getting image source signatures
Copying blob 8d3ac3489996 done
Copying config c059bfaa84 done
Writing manifest to image destination
Signing manifest
Storing signatures
#推送成功
#如果我们现在看一下系统签名存储,
#我们会看到有一个新的签名可用,这是由图像推送引起的:
[root@localhost ~]# ls /var/lib/containers/sigstore
'alpine@sha256=a65d71e7a88c3a63246ec299abb0dcec671579ac0af199d96e2a82339f061199'
#我们编辑的版本中的默认签名存储 /etc/containers/registries.d/default.yaml
#引用了一个正在监听的 Web 服务器 http://localhost:8000。
#对于我们的实验,我们只需在本地临时签名存储中启动一个新服务器:
[root@localhost ~]# dnf -y module install python38
[root@localhost ~]# cd /var/lib/containers/sigstore
[root@localhost sigstore]# pwd
/var/lib/containers/sigstore
[root@localhost sigstore]# ls
'alpine@sha256=a65d71e7a88c3a63246ec299abb0dcec671579ac0af199d96e2a82339f061199'
[root@localhost sigstore]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:5000 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@localhost sigstore]# python3 -m http.server
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 0.0.0.0:8000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:5000 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
#放行端口
[root@localhost ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source
> address=192.168.79.128/24 port port=8000 protocol=tcp accept' --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]#
在使用 Podman 和 GPG 对容器镜像进行签名时
通常需要考虑四个主要事项:
- 我们需要签名机器上的有效 GPG 私钥和每个系统上的相应公钥,这将拉取图像
- Web 服务器必须在可以访问签名存储的地方运行
- 必须在任何 /etc/containers/registries.d/*.yaml文件中配置 Web 服务器
- 每个图像拉取系统都必须配置为包含强制策略配置policy.conf
- 这就是图像签名和 GPG的内容。很酷的是,这个设置也可以与CRI-O一起使用,并且可以用于Kubernetes 环境中对容器镜像进行签名。