首页 > 其他分享 >podman的基本设置和使用,签名分发镜像推送到harbor仓库

podman的基本设置和使用,签名分发镜像推送到harbor仓库

时间:2022-08-16 02:00:17浏览次数:54  
标签:httpd 8080 容器 harbor podman usr 推送 root

podman的基本设置和使用

目录

Podman 是作为 libpod 库的一部分提供的实用程序。它可用于创建和维护容器。以下教程将教您如何设置Podman并使用Podman执行一些基本命令。

podman的基本设置和使用

运行示例容器

此示例容器将运行一个非常基本的 httpd 服务器,该服务器仅为其索引页提供服务。

[root@podman ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
>                   -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
>                   -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
>                   registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob d77ff9f653ce done  
Copying blob aaf5ad2e1aa3 done  
Copying blob 7692efc5f81c done  
Copying config 25c76f9dcd done  
Writing manifest to image destination
Storing signatures
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5

由于容器在分离模式下运行(在命令中由 -d 表示),因此 Podman 将在运行后打印容器 ID。请注意,我们使用端口转发来访问 HTTP 服务器。要成功运行,至少需要 slirp4netns v0.3.0。

查询一下slirp4netns是否高于 v0.3.0版本。

[root@podman ~]# rpm -qa|grep slirp4netns
slirp4netns-1.1.8-2.module_el8.7.0+1106+45480ee0.x86_64

列出正在运行的容器

[root@podman ~]# podman ps
CONTAINER ID  IMAGE                                        COMMAND               CREATED        STATUS            PORTS                   NAMES
81254d9cc425  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  5 minutes ago  Up 5 minutes ago  0.0.0.0:8080->8080/tcp  dreamy_merkle

注意:-l 是最新容器的便利参数。还可以使用容器的 ID 而不是 -l。

检查正在运行的容器

可以检查正在运行的容器,以获取有关其自身的元数据和详细信息。我们甚至可以使用 inspect 子命令来查看分配给容器的 IP 地址。由于容器在无根模式下运行,因此不会分配 IP 地址,并且该值将在检查的输出中列为“无”。

podman inspect -l |grep -i ipaddress

[root@podman ~]# podman inspect -l |grep -i ipaddress
               "IPAddress": "10.88.0.3",
                         "IPAddress": "10.88.0.3",

测试httpd服务器

curl http://localhost:8080

[root@podman ~]# podman port -l
8080/tcp -> 0.0.0.0:8080
[root@podman ~]# curl 10.88.0.3:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
...省略

web界面访问:

image

查看容器日志

podman logs --latest

[root@podman ~]# podman logs -l
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.3. Set the 'ServerName' directive globally to suppress this message
[Mon Aug 15 15:56:04.177877 2022] [ssl:warn] [pid 1:tid 139975668551040] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1b FIPS  26 Feb 2019, version currently loaded is OpenSSL 1.1.1 FIPS  11 Sep 2018) - may result in undefined or erroneous behavior
...省略

查看容器的pid

podman top <container_id>

[root@podman ~]# podman top -l
USER        PID         PPID        %CPU        ELAPSED           TTY         TIME        COMMAND
default     1           0           0.000       17m15.264131783s  pts/0       0s          httpd -D FOREGROUND 
default     23          1           0.000       17m15.264256639s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     24          1           0.000       17m15.264293599s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     25          1           0.000       17m15.264317041s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     26          1           0.000       17m15.264343615s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     27          1           0.000       17m15.264365551s  pts/0       0s          httpd -D FOREGROUND 
default     28          1           0.000       17m15.264387439s  pts/0       0s          httpd -D FOREGROUND 
default     30          1           0.000       17m15.264408209s  pts/0       0s          httpd -D FOREGROUND 
default     37          1           0.000       17m15.264431233s  pts/0       0s          httpd -D FOREGROUND 
default     242         1           0.000       7m50.264451911s   pts/0       0s          httpd -D FOREGROUND 

对容器执行检查点操作

对容器执行检查点操作会停止容器,同时将容器中所有进程的状态写入磁盘。这样,容器以后可以还原,并在与检查点完全相同的时间点继续运行。此功能要求在系统上安装 CRIU 3.11 或更高版本。不支持此功能作为无根;因此,如果您想尝试一下,则需要使用相同的命令(但使用sudo)以root身份重新创建容器。若本身是管理员就不用sudu。

sudo podman container checkpoint <container_id>

[root@podman ~]# podman container checkpoint -l
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# ls
anaconda-ks.cfg  container-web.service
[root@podman ~]# podman ps -a
CONTAINER ID  IMAGE                                        COMMAND               CREATED         STATUS                     PORTS                   NAMES
81254d9cc425  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  53 minutes ago  Exited (0) 17 seconds ago  0.0.0.0:8080->8080/tcp  dreamy_merkle

恢复容器

还原容器仅适用于以前检查点的容器。还原的容器将继续在检查点操作的同一时间点运行。

sudo podman container restore <container_id>

[root@podman ~]# podman container restore -l
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# podman ps -a
CONTAINER ID  IMAGE                                        COMMAND               CREATED         STATUS             PORTS                   NAMES
81254d9cc425  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  54 minutes ago  Up 54 minutes ago  0.0.0.0:8080->8080/tcp  dreamy_merkle

还原后,容器将像检查点之前一样再次应答请求。

[root@podman ~]# curl 10.88.0.3:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

迁移容器

要将容器从一个主机实时迁移到另一个主机,容器将在迁移的源系统上执行检查点操作,传输到目标系统,然后在目标系统上还原。传输检查点时,可以指定输出文件。

在源系统上:

sudo podman container checkpoint <container_id> -e /tmp/checkpoint.tar.gz

scp /tmp/checkpoint.tar.gz <destination_system>:/tmp

[root@podman ~]# podman container checkpoint -l -e /tmp/checkpoint.tar.gz
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# scp /tmp/checkpoint.tar.gz 192.168.118.137:/tmp

在目标系统上:

sudo podman container restore -i /tmp/checkpoint.tar.gz

[root@localhost ~]# podman container restore -i /tmp/checkpoint.tar.gz
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob d77ff9f653ce done  
Copying blob aaf5ad2e1aa3 done  
Copying blob 7692efc5f81c done  
Copying config 25c76f9dcd done  
Writing manifest to image destination
Storing signatures
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5

还原后,web访问一下。

image

停止容器

要停止 httpd 容器,请执行以下操作:

[root@podman ~]# podman stop -l
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# podman ps -a
CONTAINER ID  IMAGE                                        COMMAND               CREATED            STATUS                    PORTS                   NAMES
81254d9cc425  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  About an hour ago  Exited (0) 5 seconds ago  0.0.0.0:8080->8080/tcp  dreamy_merkle

移除容器

删除 httpd 容器:

[root@podman ~]# podman rm -l
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# podman ps -a
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

podman签名分发镜像推送到harbor仓库

签署容器镜像的动机是只信任专门的镜像提供者以减轻中间人 (MITM) 攻击或对容器注册表的攻击。签署图像的一种方法是使用 GNU Privacy Guard ( GPG ) 密钥。这种技术通常与任何符合 OCI 的容器注册表兼容,例如:Quay.io。值得一提的是,OpenShift 集成容器注册表开箱即用地支持这种签名机制,这使得单独的签名存储变得不必要。

从技术角度来看,我们可以利用 Podman 对镜像进行签名,然后再将其推送到远程注册表。之后,所有运行 Podman 的系统都必须配置为从远程服务器检索签名,远程服务器可以是任何简单的 Web 服务器。这意味着在图像拉取操作期间,每个未签名的图像都将被拒绝。但这是如何工作的?

首先,我们必须创建一个 GPG 密钥对或选择一个已经在本地可用的密钥对。要生成新的 GPG 密钥,只需运行gpg --full-gen-key并按照交互式对话框操作。现在我们应该能够验证密钥在本地是否存在:

[root@podman ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: [email protected]
Email address: [email protected]
Comment: dada
You selected this USER-ID:
    "[email protected] (dada) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

#设置秘钥,tab到ok回车,这里要输入2次密码,设置密码时大于8位数
         ┌─┐
         │ Please enter the passphrase to                       │
         │ protect your new key                                 │
         │                                                      │
         │ Passphrase: ***********
         │                                                      │
         │       <OK>                              <Cancel>     │
         └─┘
 
      
         ┌─┐
         │ Please re-enter this passphrase                      │
         │                                                      │
         │ Passphrase: ***********
         │                                                      │
         │       <OK>                              <Cancel>     │
         └─┘
         
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 790E0F879B594C6D marked as ultimately trusted
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/6C72C4A589A2A40906BCA7BE790E0F879B594C6D.rev'
public and secret key created and signed.

pub   rsa2048 2022-08-15 [SC]
      6C72C4A589A2A40906BCA7BE790E0F879B594C6D
uid                      [email protected] (dada) <[email protected]>
sub   rsa2048 2022-08-15 [E]

[root@podman ~]# gpg --list-keys [email protected]
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub   rsa2048 2022-08-15 [SC]
      6C72C4A589A2A40906BCA7BE790E0F879B594C6D
uid           [ultimate] [email protected] (dada) <[email protected]>
sub   rsa2048 2022-08-15 [E]

标签:httpd,8080,容器,harbor,podman,usr,推送,root
From: https://www.cnblogs.com/Clannaddada/p/16590249.html

相关文章

  • podman对容器映像签名和分发
    目录熟悉podman如何使用Podman对容器映像进行签名和分发熟悉podman此示例容器将运行一个非常基本的httpd服务器,该服务器仅为其索引页提供服务[root@mr~]#podmanp......
  • podman的基本设置和使用
    podman的基本设置和使用运行一个示例容器[root@localhost~]#podmanrun-dt-p8080:8080/tcp-eHTTPD_VAR_RUN=/run/httpd-eHTTPD_MAIN_CONF_D_PATH=/etc/httpd/co......
  • podman的基本设置与podman签名
    目录podman的基本设置和使用签名和分发podman的基本设置和使用//注:因为只有一个容器所有使用的-l参数创建一个容器并放在后台运行做一个端口映射-p[root@harborhar......
  • ffmpeg以RTP协议推送视频
    docker编译环境dockerpullabdulachik/ffmpeg.js:latestdockerrun-it-p8080:8080-v/Users/workspace/Downloads/ffmpeg_wasm:/tmp--privileged=trueabdulachik/......
  • podman的部署与应用
    目录部署podmanpodman的应用部署podman安装podman[root@node1~]#yum-yinstallpodmanLastmetadataexpirationcheck:8:06:25agoonSun14Aug202211:58:39......
  • 关于harbor的使用,
    首先需要安装docker及docker-compose 过程省略下载并上传harbor压缩包,harbor-offline-installer-v2.5.3.tgz 解压到/usr/local目录下修改配置文件 名harbor.yml.tmpl......