最後更新: 2024-05-05
介紹
- Podman is using Open Container Initiative (OCI) containers
- Podman is a daemon-less tool (a single binary command-line)
OCI Runtime
https://opencontainers.org/
The Open Container Initiative develops specifications for standards on Operating System process and application containers.
目錄
- Installation
- Linux Distribution
- Configuration
- Basic Usage
- mount & umount
- podman cp
- Image
- Volume
- Auto start container
- volatile mount
- conmon program
- runc
- 更改 Image 的 Startup 的 ENTRYPOINT
- Login & Logout Registry
- More
Installation
dnf install podman
podman -v
podman version 4.1.1
podman version
Client: Podman Engine Version: 4.1.1 API Version: 4.1.1 Go Version: go1.17.12 Built: Tue Aug 2 15:53:14 2022 OS/Arch: linux/amd64
systemctl start podman
systemctl enable podman
systemctl status podman
● podman.service - Podman API Service Loaded: loaded (/usr/lib/systemd/system/podman.service; enabled; vendor preset: disabled) Active: inactive (dead) since Wed 2022-10-19 20:58:58 HKT; 6s ago Docs: man:podman-system-service(1) Process: 6365 ExecStart=/usr/bin/podman $LOGGING system service (code=exited, status=0/SUCCESS) Main PID: 6365 (code=exited, status=0/SUCCESS) Oct 19 20:58:53 VM systemd[1]: Starting Podman API Service... Oct 19 20:58:53 VM systemd[1]: Started Podman API Service. Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="/usr/bin/podman filtering at log level info" Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="Not using native diff for overlay, this may > Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="Setting parallel job count to 4" Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="Using systemd socket activation to determine> Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="API service listening on \"/run/podman/podma> Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="API service listening on \"/run/podman/podma> Oct 19 20:58:58 VM systemd[1]: podman.service: Succeeded.
# View Podman system information
podman info
host: arch: amd64 buildahVersion: 1.26.2 cgroupControllers: - cpuset - cpu - ... cgroupManager: systemd cgroupVersion: v1 ... idMappings: gidmap: null uidmap: null ociRuntime: name: crun ... remoteSocket: exists: true path: /run/podman/podman.sock security: apparmorEnabled: true capabilities: CAP_CHOWN,... rootless: false seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: false ... slirp4netns: executable: "" package: "" version: "" plugins: log: - k8s-file - none - journald network: - bridge - macvlan volume: - local store: configFile: /etc/containers/storage.conf .. graphDriverName: overlay graphOptions: {} graphRoot: /var/lib/containers/storage graphStatus: Backing Filesystem: extfs ... ... runRoot: /run/containers/storage volumePath: /var/lib/containers/storage/volumes ...
Linux Distribution
RHEL
- 8 -> 4.1
Ubuntu
- 22 -> 3.4
Configuration
'/etc/containers' directory
policy.json
Policy configuration for image signing.
storage.conf
Configuration of default storage for Podman. Includes drivers, location, etc.
registries.conf
List of available container image registries such as
Docker Registry, RHEL Container image registry, and Fedora Container images registry.
registries.d/
Additional registries configuration and image signing
registries.conf.d/
Additional configuration for container images aliases.
Basic Usage
podman search rocky
podman pull rocky
Resolved "hello-world" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf) Trying to pull quay.io/podman/hello:latest...
Search container image
podman images [options] [IMAGE]
podman images
REPOSITORY TAG IMAGE ID CREATED SIZE quay.io/podman/hello latest 45c8981b04d0 7 hours ago 82.1 kB
podman images db
REPOSITORY TAG IMAGE ID CREATED SIZE localhost/db v2 60e6b9a17ba7 5 days ago 801 MB localhost/db v3 9a646ec64180 7 days ago 774 MB
Run
# --detach, -d
# --interactive, -i keep stdin open even if not attached.
# --tty, -t Allocate a pseudo-TTY
podman run -dit --name mytest hello-world
podman ps [-a]
inspect
podman inspect container-name
Useful info
podman inspect test | jq '.[] | keys'
podman inspect test | jq .[0].HostConfig | jq '.Memory, .MemorySwap'
podman inspect test | jq .[0].Mounts
podman inspect test | jq .[0].NetworkSettings.Networks
podman inspect test | jq .[0].Config.Labels
podman inspect test | jq .[0].Config.CreateCommand
podman inspect test | jq .[0].GraphDriver
attach
# either view its ongoing output or to control it interactively
podman attach container-name
P.S. detach from the container
Default: ctrl-p,ctrl-q
Configure the keys sequence using the --detach-keys OPTION
specifying it in the containers.conf file
exec
Execute a command in a running container
i.e.
# -i, --interactive; -t, --tty
podman exec -it CT-NAME /bin/sh
stop
podman stop container-name
rm
podman rm container-name
Container status
podman stats [container]
資訊:
- ID
- NAME
- CPU %
- MEM USAGE / LIMIT MEM %
- NET IO
- BLOCK IO
- PIDS
- CPU TIME
- AVG CPU %
mount & umount
mount
podman mount [options] [container …]
# list all of the currently mounted containers
podman mount
# mount
podman mount containerID1
# 會看到 mount 了在那
/var/lib/containers/storage/overlay/ID/merged
umount
podman umount containerID
podman umount --all
podman cp
除了用 mount 外, 可以用 cp 直接抄 data
podman cp [options] [container:]src_path [container:]dest_path
Opts:
--overwrite
Allow directories to be overwritten with non-directories and vice versa.
By default, podman cp errors out when attempting to overwrite
EXAMPLES
# From host to a container
podman cp /myapp/app.conf containerID:/myapp/app.conf
# From a container to another container
podman cp containerID1:/myfile.txt containerID2:/tmp
Image
search
# --filter
podman search --filter=is-official rocky
NAME DESCRIPTION docker.io/library/rockylinux The official build of Rocky Linux.
# --list-tags
podman search --list-tags docker.io/library/rockylinux
# --limit=limit
Limit the number of results (default 25).
pull
# name[:tag]
podman pull docker.io/library/rockylinux:8
image list
list local image
image tree
podman image tree myrock8
Image ID: b97594aed070 Tags: [localhost/myrock8:v1 localhost/myrock8:latest] Size: 431.9MB Image Layers ├── ID: 44e6e3eb06d8 Size: 201.9MB Top Layer of: [docker.io/rockylinux/rockylinux:8.6] ├── ID: c78d5d722c03 Size: 23.04kB ├── ID: 1220167252e8 Size: 136.2MB └── ID: 479813204267 Size: 93.69MB Top Layer of: [localhost/myrock8:v1 localhost/myrock8:latest]
P.S.
podman image inspect myrock8 | jq '.[].RepoTags, .[].RootFS'
[
"localhost/myrock8:v1",
"localhost/myrock8:latest"
]
{
"Type": "layers",
"Layers": [
"sha256:44e6e3eb06d8ec453315fb8767b27ef54f69ca5c5364b6251d6bb2b907cc14bc",
"sha256:ce22a1c72a329cbcfdf669cc4e1c9168e7943e768447c1095db99d6f329cdddd",
"sha256:db2bf7c96010f30905ff7c31296d9fb75230cb44efa9459e1f25edc6286fa4b8",
"sha256:2f3490b03e2c9ae98b0b699ac007146dd38866779075a82225017400919007e9"
]
}
history
Show history of a specified image
rmi
Removes one or more images from local storage
tag & untag
tag: Add an additional name to a local image
podman images
localhost/www-v3 latest 9688b374182e 19 hours ago 602 MB
# If a specified name does not include a tag, :latest will be appended
podman tag 9688b374182e www:v3
localhost/www-v3 latest 9688b374182e 19 hours ago 602 MB localhost/www v3 9688b374182e 19 hours ago 602 MB
為 image 設定 latest tag
podman tag b97594aed070 myrock8:v1
podman tag myrock8:v1 myrock8
untag: Remove one or more names from an image in the local storage.
# If no name is specified, all names are removed from the image.
podman untag 9688b374182e
<none> <none> 9688b374182e 19 hours ago 602 MB
untag 一個名
podman untag b97594aed070 mypod-v2
Notes
[1] If a specified name is a short name and does not include a registry,
localhost/ will be prefixed (e.g., fedora -> localhost/fedora).
[2] If a specified name does not include a tag,
:latest will be appended (e.g., localhost/fedora -> localhost/fedora:latest).
Volume
--volume, -v=[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]
* docker default 係用 overlay fs, 它是用 volatile mount 的 !!
# mount cgroup readonly (必須是 readonly !!)
--volume /sys/fs/cgroup:/sys/fs/cgroup:ro
---
# mount Folder to container
# -v /HOST-DIR:/CONTAINER-DIR
-v $volroot/data:/var/lib/mysql
---
# mount file to container
-v $ssh_key:/root/.ssh/authorized_keys:ro
RUN
CMD vs ENTRYPOINT
Docker has a default entrypoint which is /bin/sh -c but does not have a default command.
The command is run via the entrypoint
the actual thing that gets executed is "/bin/sh -c bash"
--add-host=host:ip
Add a line to /etc/hosts. The format is
hostname:ip
The --add-host option can be set multiple times.
* 主機 /etc/hosts 的內容本身會加到 container, 不用 "--add-host="
* 不加主機的 /etc/hosts 到 CT --no-hosts # 它不能與 --add-host 一同使用
--dns=ipaddr
Set custom DNS servers.
--ip=ipv4
Specify a static IPv4 address for the container
This option can only be used if the container is joined to only a single network
(--network=network-name)
指定的 IP 要在 --ip-range 內
--tz=timezone
Set timezone in container.
/usr/share/zoneinfo/
env
--env, -e=env
Set environment variables.
--env-file=file
--hostuser=name, -h=name
Add a user account to /etc/passwd from the host to the container. The Username or UID must exist on the host system.
--passwd
Allow Podman to add entries to /etc/passwd and /etc/group when used in conjunction with the --user option.
--passwd-entry=ENTRY
Customize the entry that is written to the /etc/passwd file within the container when --passwd is used.
--user, -u=user[:group]
Sets the username or UID used and, optionally, the groupname or GID for the specified command.
Both user and group may be symbolic or numeric.
--label, -l=key=value
Add metadata to a container.
--mount=type=TYPE,TYPE-SPECIFIC-OPTION[,…]
Attach a filesystem mount to the container
Current supported mount TYPEs are bind, volume, image, tmpfs and devpts.
--secret=secret[,opt=opt …]
A secret is a blob of sensitive data which a container needs at runtime but should not be stored in the image or in source control,
such as usernames and passwords, TLS certificates and keys, SSH keys or other important generic strings or binary content (up to 500 kb in size).
When secrets are specified as type mount, the secrets are copied and mounted into the container when a container is created.
Export & Import
Export
Export container’s filesystem contents as a tar archive
* writes to STDOUT by default
* The image of the container exported by podman export can be imported by podman import.
Import
Import a tarball to create a filesystem image
Notes: export vs save
export
It contains the same files as the image that started the container but without history and metadata.
save
preserves the "image" layer information, including all history and metadata
Save & Load
Save
# Save image to an archive
podman save [options] name[:tag]
* podman save writes to STDOUT by default
* 如果 save 時沒有 tag, 那就會 save latest
--format=format
- docker-archive # default
- oci-archive
- oci-dir
- docker-dir
i.e.
podman images # list images
podman save alpine > alpine-all.tar
podman save -o alpine.tar alpine:2.6
Load
Load an image from container archive
i.e.
# 方式 1
docker load -i db.tar
44e6e3eb06d8: Loading layer 201.9MB/201.9MB ce22a1c72a32: Loading layer 23.04kB/23.04kB db2bf7c96010: Loading layer 136.2MB/136.2MB 08d4b0b64555: Loading layer 435.8MB/435.8MB a35fb4407103: Loading layer 23.64MB/23.64MB 937cb9e03c7c: Loading layer 3.67MB/3.67MB Loaded image: localhost/db:v1
# 方式 2
zcat www-v3.tar.gz | podman load
commit 與 build
build
Build an image using instructions from "Dockerfile" / "Containerfiles"
# 指定 file 名
podman build -f Dockerfile.v3
* 當沒有加 -t 時 podman images 顯示的 REPOSITORY 及 TAG 都會是 "<none>"
(--tag, -t imageName)
commit
Create new image based on the changed container
OPT
--include-volumes
Include in the committed image any volumes added to the container by
the --volume or --mount OPTIONS to the podman create and podman run commands.
--format, -f= # oci | docker
--change, -c=instruction
Apply the following possible instructions to the created image:
- CMD
- ENTRYPOINT
- ENV
- EXPOSE
- LABEL
- ONBUILD
- STOPSIGNAL
- USER
- VOLUME
- WORKDIR
--author, -a=author
--message, -m=message
Set commit message for committed image.
IMPORTANT: The message field is not supported in oci format.
--pause, -p # The default is false.
Pause the container when creating an image.
--squash, -s # The default is false.
Squash newly built layers into a single new layer.
i.e.
podman commit \
--change CMD=/bin/bash \
--author tim \
mypod-v1 mypod-v2
Checkpointing
Checkpointing a container stops the container while writing the state of all processes in the container to disk.
This capability requires CRIU 3.11 or later installed on the system.(https://criu.org/Main_Page)
Checkpoints currently work with root containers only.
podman container checkpoint <container_id>
podman container restore <container_id>
logs
podman run -it --rm -d -p 8080:80 --name web nginx:alpine
podman logs web
podman logs -f web # Follow log output. Default is false.
podman logs --tail 10 web
healthcheck
podman healthcheck run CONTAINER
Runs the healthcheck command defined in a running container manually.
0 = healthcheck command succeeded
1 = healthcheck command failed
125 = an error has occurred
--health-cmd="command" | "["command", "arg1", …]"
The command is a command to be executed inside your container that determines your container health.
--health-on-failure=action
- none: Take no action (default)
- kill: Kill the container
-
restart: Restart the container.
Do not combine the restart action with the --restart flag.
When running inside of a systemd unit, consider using the kill or stop action
instead to make use of systemd’s restart policy. - stop: Stop the container
===========
--health-interval=30s
--health-retries=3
--health-timeout=30
--health-start-period=0s
===========
--restart
Restart policy to follow when containers exit.
Restart policy will not take effect if a container is stopped via the podman kill or podman stop commands.
Please note that restart will not restart containers after a system reboot.
Valid policy values are:
- no : Do not restart containers on exit
- on-failure[:max_retries]
- always: Restart containers when they exit, regardless of status
- unless-stopped: Identical to always
Volatile mount
Volatile mounts are not guaranteed to survive a crash.
It is strongly recommended that volatile mounts are only used if data written to the overlay can be recreated without significant effort.
The advantage of mounting with the “volatile” option is that all forms of sync calls to the upper filesystem are omitted.
When overlay is mounted with “volatile” option, the directory “$workdir/work/incompat/volatile” is created.
During next mount, overlay checks for this directory and refuses to mount if present.
This is a strong indicator that user should throw away upper and work directories and create fresh one.
conmon program
When Podman starts a container it actually executes the conmon program, which then executes the OCI Runtime. Conmon is the container monitor. It is a small program whose job is to watch the primary process of the container, and if the container dies, save the exit code. It also holds open the tty of the container, so that it can be attached to later. This is what allows Podman to run in detached mode (backgrounded), so Podman can exit but conmon continues to run. Each container has their own instance of conmon. Conmon waits for the container to exit, gathers and saves the exit code, and then launches a Podman process to complete the container cleanup, by shutting down the network and storage.
help
man 8 conmon
conmon --version
conmon version 2.1.2 commit: 98e028a5804809ccb49bc099c0d53adc43ef8cc4
runc
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.
- Linux namespaces full support
- Native support of Linux security features such as Selinux, Apparmor
- Specifications governed by Open Container Initiative
low-level: runc
high-level: CRI-O, podman, containerd
它與 runC 的關係
Podman 直接調用 OCI runtime(runC), 通過 common 作為容器處理程序的管理工具
更改 Image 的 Startup 的 ENTRYPOINT
查看當前的 CMD
# --format=
podman inspect -f '{{.Config.Cmd}}' <image:tag>
更改
# Override the default ENTRYPOINT from the image.
podman run -it --entrypoint=/bin/bash IMAGE
CMD v.s. ENTRYPOINT
ENTRYPOINT is used to specify the main command that should be executed when the container starts.
More options can be passed in via the COMMAND.
CMD is used to provide default arguments for the ENTRYPOINT or
to specify the command to be executed if no ENTRYPOINT is specified.
i.e.
ENTRYPOINT ["/usr/sbin/apache2ctl"] CMD ["-D", "FOREGROUND"]
Login & Logout Registry
- login
- Authentication file
- Logout
Login
If the registry is not specified, the first registry under [registries.search] from registries.conf will be used.
/etc/containers/registries.conf
podman login --get-login AC_ID.dkr.ecr.ap-east-1.amazonaws.com
AWS
Authentication file
# XDG_RUNTIME_DIR = /run/user/0
${XDG_RUNTIME_DIR}/containers/auth.json
{ "auths": { "AC_ID.dkr.ecr.ap-east-1.amazonaws.com": { "auth": "..." } } }
Logout
Remove the cached credentials for registries in the auth file
podman logout [options] registry
options
--all, -a
More