podman的基本设置和使用
运行一个示例容器
[root@localhost ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
> -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
> -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
> registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob aaf5ad2e1aa3 done
Copying blob 7692efc5f81c done
Copying blob d77ff9f653ce done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
32927806ea54e854e487362d39d738666ea7006767141a8a4f7af4ad9eb315d3
[root@localhost ~]#
列出正在运行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
32927806ea54 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 3 minutes ago Up 3 minutes ago 0.0.0.0:8080->8080/tcp hungry_visvesvaraya
[root@localhost ~]#
检查正在运行的容器
[root@localhost ~]# podman inspect -l |grep -i ipaddres
"IPAddress": "10.88.0.2",
"IPAddress": "10.88.0.2",
[root@localhost ~]#
测试httpd服务器
[root@localhost ~]# curl 10.88.0.2:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test Page for the Apache HTTP Server on Fedora</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
/*<![CDATA[*/
通过宿主机加上映射出来的端口进行访问
查看容器日志
[root@localhost ~]# podman logs -l
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.2. Set the 'ServerName' directive globally to suppress this message
查看容器的进程
可以使用top观察容器中的httpd pid
[root@localhost ~]# podman top -l
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
default 1 0 0.000 15m15.790891247s pts/0 0s httpd -D FOREGROUND
default 23 1 0.000 15m15.791014584s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 24 1 0.000 15m15.791051976s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 25 1 0.000 15m15.791083142s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 26 1 0.000 15m15.79111865s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 27 1 0.000 15m15.791148096s pts/0 0s httpd -D FOREGROUND
default 28 1 0.000 15m15.791178705s pts/0 0s httpd -D FOREGROUND
default 30 1 0.000 15m15.791209738s pts/0 0s httpd -D FOREGROUND
default 33 1 0.000 15m15.791243228s pts/0 0s httpd -D FOREGROUND
[root@localhost ~]#
检查点容器
检查点容器会停止容器,同时将容器中所有进程的状态写入磁盘。有了这个,容器可以稍后恢复并在与检查点完全相同的时间点继续运行。此功能需要在系统上安装 CRIU 3.11 或更高版本。此功能不支持为无根;因此,如果您想尝试它,您需要以 root 身份重新创建您的容器,使用相同的命令但使用 sudo。
[root@localhost ~]# podman container checkpoint hungry_visvesvaraya
32927806ea54e854e487362d39d738666ea7006767141a8a4f7af4ad9eb315d3
[root@localhost ~]#
[root@localhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0850f917a648 docker.io/library/busybox:latest sh 25 hours ago Exited (0) 25 hours ago priceless_hermann
52def17049b0 docker.io/library/busybox:latest sh 25 hours ago Exited (0) 25 hours ago trusting_wright
2968cb1c8253 docker.io/library/busybox:latest sh 25 hours ago Exited (127) 25 hours ago hardcore_payne
120fd003c071 docker.io/library/busybox:latest sh 25
恢复容器
[root@localhost ~]# podman container restore hungry_visvesvaraya
32927806ea54e854e487362d39d738666ea7006767141a8a4f7af4ad9eb315d3
[root@localhost ~]#
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
32927806ea54 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 20 minutes ago Up 20 minutes ago 0.0.0.0:8080->8080/tcp hungry_visvesvaraya
[root@localhost ~]#
[root@localhost ~]# curl 10.88.0.2:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test Page for the Apache HTTP Server on Fedora</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
/*<![CDATA[*/
迁移容器
要将容器从一台主机实时迁移到另一台主机,容器会在迁移的源系统上设置检查点,转移到目标系统,然后在目标系统上恢复。传输检查点时,可以指定输出文件。
在源系统上:
[root@localhost ~]# podman container checkpoint hungry_visvesvaraya -e /tmp/algg.tar.gz
32927806ea54e854e487362d39d738666ea7006767141a8a4f7af4ad9eb315d3
[root@localhost ~]#
[root@localhost ~]# scp /tmp/algg.tar.gz 192.168.10.150:/tmp
The authenticity of host '192.168.10.150 (192.168.10.150)' can't be established. //客户机的ip地址
ECDSA key fingerprint is SHA256:n0Dkwe1M34tJ4a5o5+F7/QfqfwCkHlPmjNl+BKqWjgY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.10.150' (ECDSA) to the list of known hosts.
[email protected]'s password: //客户机的密码
algg.tar.gz 100% 6703KB 162.4MB/s 00:00
[root@localhost ~]#
在目标系统上
[root@localhost ~]# podman container restore -i /tmp/algg.tar.gz
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob d77ff9f653ce done
Copying blob aaf5ad2e1aa3 done
Copying blob 7692efc5f81c done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
Error: failed to mount shm tmpfs "/var/lib/containers/storage/overlay-containers/32927806ea54e854e487362d39d738666ea7006767141a8a4f7af4ad9eb315d3/userdata/shm": invalid argument
[root@localhost ~]#
停止容器
[root@localhost ~]# podman stop -l
32927806ea54e854e487362d39d738666ea7006767141a8a4f7af4ad9eb315d3
[root@localhost ~]#
[root@localhost ~]# podman ps -a
32927806ea54 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 39 minutes ago Exited (0) 12 minutes ago 0.0.0.0:8080->8080/tcp hungry_visvesvaraya
如何使用podman签署和分发容器镜像
[root@localhost ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: daojiang
Email address: [email protected]
Comment: alg
You selected this USER-ID:
"daojiang (alg) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
┌─┐
│ Please enter the passphrase to │
│ protect your new key │
│ │
│ Passphrase: ******
│ │
│ <OK> <Cancel> │
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 3503977B1F4F8C4F marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/535227B0CA69106F3E93A5A23503977B1F4F8C4F.rev'
public and secret key created and signed.
pub rsa2048 2022-08-15 [SC]
535227B0CA69106F3E93A5A23503977B1F4F8C4F
uid daojiang (alg) <[email protected]>
sub rsa2048 2022-08-15 [E]
查看生成的密钥
[root@localhost ~]# gpg --list-keys [email protected]
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub rsa2048 2022-08-15 [SC]
535227B0CA69106F3E93A5A23503977B1F4F8C4F
uid [ultimate] daojiang (alg) <[email protected]>
sub rsa2048 2022-08-15 [E]
[root@localhost ~]#
alpine为签名实验选择一个标准镜像
[root@localhost ~]# podman pull docker://docker.io/alpine:latest
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 59bf1c3509f3 done
Copying config c059bfaa84 done
Writing manifest to image destination
Storing signatures
c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
[root@localhost ~]#
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
部署harbor
[root@harbor ~]# wget https://github.com/goharbor/harbor/releases/download/v2.5.3/harbor-offline-installer-v2.5.3.tgz
将下载好的文件上传至root下
[root@harbor ~]# ls
anaconda-ks.cfg harbor-offline-installer-v2.5.3.tgz
[root@harbor local]# cd harbor/
[root@harbor harbor]# ls
LICENSE common.sh harbor.v2.5.3.tar.gz harbor.yml.tmpl install.sh prepare
[root@harbor harbor]# cp harbor.yml.tmpl harbor.yml
[root@harbor harbor]# vi harbor.yml
hostname: harbor.example.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
#https:
# https port for harbor, default is 443
#port: 443
# The path of cert and key files for nginx
#certificate: /your/certificate/path
#private_key: /your/private/key/path
[root@harbor harbor]# ./install.sh
[+] Running 10/10
⠿ Network harbor_harbor Created 0.2s
⠿ Container harbor-log Started 0.6s
⠿ Container harbor-portal Started 2.2s
⠿ Container registryctl Started 2.2s
⠿ Container redis Started 2.4s
⠿ Container registry Started 2.2s
⠿ Container harbor-db Started 2.4s
⠿ Container harbor-core Started 2.8s
⠿ Container nginx Started 3.6s
⠿ Container harbor-jobservice Started 3.3s
✔ ----Harbor has been installed and started successfully.----
[root@harbor harbor]#
[root@harbor harbor]#
[root@harbor harbor]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 127.0.0.1:1514 0.0.0.0:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
[root@harbor harbor]#
重新标记镜像
[root@localhost ~]# podman tag alpine 192.168.10.145/alpine:v0.1
[root@localhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
192.168.10.145/alpine v0.1 c059bfaa849c 8 months ago 5.87 MB
[root@localhost ~]#
修改系统范围的注册表配置 /etc/containers/registries.d/default.yaml:
sigstore: 引用 Web 服务器进行签名读取
sigstore-staging: 引用文件路径进行签名写入
[root@localhost ~]# vim /etc/containers/registries.d/default.yaml
default-docker:
sigstore: http://192.168.10.145
sigstore-staging: file:///var/lib/containers/sigstore
标签:基本,httpd,key,harbor,podman,设置,root,localhost
From: https://www.cnblogs.com/nie123/p/16590236.html