podman

最後更新: 2022-10-19

介紹

  • Podman is using Open Container Initiative (OCI) containers
  • Podman is a daemon-less tool (a single binary command-line)

OCI Runtime

https://opencontainers.org/

The Open Container Initiative develops specifications for standards on Operating System process and application containers.

目錄

  • Volume
  • Network & Firewall
  • Auto start container
  • volatile mount
  • conmon program
  • podman-gvproxy
  • Rocky 8 App
  • Cleanup contrainer script
  • runc

 


Installation

 

dnf install podman

podman -v

podman version 4.1.1

podman version

Client:       Podman Engine
Version:      4.1.1
API Version:  4.1.1
Go Version:   go1.17.12
Built:        Tue Aug  2 15:53:14 2022
OS/Arch:      linux/amd64

systemctl start podman

systemctl enable podman

systemctl status podman

● podman.service - Podman API Service
   Loaded: loaded (/usr/lib/systemd/system/podman.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Wed 2022-10-19 20:58:58 HKT; 6s ago
     Docs: man:podman-system-service(1)
  Process: 6365 ExecStart=/usr/bin/podman $LOGGING system service (code=exited, status=0/SUCCESS)
 Main PID: 6365 (code=exited, status=0/SUCCESS)

Oct 19 20:58:53 VM systemd[1]: Starting Podman API Service...
Oct 19 20:58:53 VM systemd[1]: Started Podman API Service.
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="/usr/bin/podman filtering at log level info"
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="Not using native diff for overlay, this may >
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="Setting parallel job count to 4"
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="Using systemd socket activation to determine>
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="API service listening on \"/run/podman/podma>
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="API service listening on \"/run/podman/podma>
Oct 19 20:58:58 VM systemd[1]: podman.service: Succeeded.

# View Podman system information

podman info

host:
  arch: amd64
  buildahVersion: 1.26.2
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  - rdma
  cgroupManager: systemd
  cgroupVersion: v1
...

 


Configuration

 

'/etc/containers' directory

policy.json

Policy configuration for image signing.

registries.conf

List of available container image registries such as Docker Registry, RHEL Container image registry, and Fedora Container images registry.

storage.conf

Configuration of default storage for Podman. Includes drivers, location, etc.

registries.d/

Additional registries configuration and image signing

registries.conf.d/

Additional configuration for container images aliases.

 


Storage

 

Help: man 5 containers-storage.conf

/etc/containers/storage.conf

[storage]
# Default Storage Driver, Must be set for proper operation.
driver = "overlay"

# Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage"

tree /var/lib/containers/storage

/var/lib/containers/storage
├── libpod
│   └── bolt_state.db
├── mounts
├── overlay
│   ├── backingFsBlockDev
│   └── l
├── overlay-containers
│   └── containers.lock
├── overlay-images
│   └── images.lock
├── overlay-layers
│   └── layers.lock
├── storage.lock
├── tmp
└── userns.lock

將 /var/lib/containers/storage 改成 mount point

systemctl stop podman.socket

mv /var/lib/containers/storage/* /mnt/tmp

touch /var/lib/containers/storage/mountpoint.txt

/etc/fstab

# Data
UUID="????"     /var/lib/containers/storage xfs noatime 0

mount -a

 


建立 network

 

建立

podman network create \
 --subnet 192.168.200.0/24 \
 --ip-range 192.168.200.128/25 \
 --gateway 192.168.200.254 MyNet

podman network ls

NETWORK ID    NAME        DRIVER
8b5962b697d7  MyNet       bridge
2f259bab93aa  podman      bridge

podman network inspect MyNet

[
     {
          "name": "MyNet",
          "id": "UUID",
          "driver": "bridge",
          "network_interface": "cni-podman1",
          "created": "2022-10-19T17:48:33.07652204+08:00",
          "subnets": [
               {
                    "subnet": "192.168.200.0/24",
                    "gateway": "192.168.200.254"
               }
          ],
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": false,
          "ipam_options": {
               "driver": "host-local"
          }
     }
]

After POD are created via the

# Add container to a network

# --ip ip

podman network connect [options] NETWORK CONTAINER

# Remove container from a network

# -f, --force   force removal of container from network

podman network disconnect [options] NETWORK CONTAINER

Network type: Macvlan

With macvlan, the container is given access to a physical network interface on the host.

This interface can configure multiple subinterfaces.

And each subinterface is capable of having its own MAC and IP address.

In the case of Podman containers, the container will present itself as if it is on the same network as the host.

podman network create -d macvlan -o parent=eth0 POD

 


Basic Usage

 

podman search rocky

podman pull rocky

Resolved "hello-world" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull quay.io/podman/hello:latest...

Search container image

podman images [options] [IMAGE]

podman images

REPOSITORY            TAG         IMAGE ID      CREATED      SIZE
quay.io/podman/hello  latest      45c8981b04d0  7 hours ago  82.1 kB

podman images db

REPOSITORY    TAG         IMAGE ID      CREATED     SIZE
localhost/db  v2          60e6b9a17ba7  5 days ago  801 MB
localhost/db  v3          9a646ec64180  7 days ago  774 MB

Run

# --detach, -d           
# --interactive, -i      keep stdin open even if not attached.
# --tty, -t              Allocate a pseudo-TTY

podman run -dit --name mytest hello-world

podman ps [-a]

inspect

podman inspect container-name

Useful info

podman inspect test | jq '.[] | keys'

podman inspect test | jq .[0].HostConfig | jq '.Memory, .MemorySwap'

podman inspect test | jq .[0].Mounts

podman inspect test | jq .[0].NetworkSettings.Networks

podman inspect test | jq .[0].Config.Labels

podman inspect test | jq .[0].Config.CreateCommand

podman inspect test | jq .[0].GraphDriver

attach

# detach from the container: ctrl-p,ctrl-q

podman attach container-name

stop

podman stop container-name

rm

podman rm container-name

container status

podman stats [container]

資訊:

  • ID
  • NAME
  • CPU %
  • MEM USAGE / LIMIT  MEM %      
  • NET IO
  • BLOCK IO
  • PIDS
  • CPU TIME
  • AVG CPU %
     

 


mount & umount

 

mount

podman mount [options] [container …]

# list all of the currently mounted containers

podman mount

# mount

podman mount containerID1

# 會看到 mount 了在那

/var/lib/containers/storage/overlay/ID/merged

umount

podman umount containerID

podman umount --all

 


podman cp

 

除了用 mount 外, 可以用 cp 直接抄 data

podman cp [options] [container:]src_path [container:]dest_path

options: --overwrite

Allow directories to be overwritten with non-directories and vice versa.

By default, podman cp errors out when attempting to overwrite

EXAMPLES

# Copy a file from host to a container

podman cp /myapp/app.conf containerID:/myapp/app.conf

# Copy a file from a container to a directory on another container

podman cp containerID1:/myfile.txt containerID2:/tmp

 

 


Image

 

search

# --filter

podman search --filter=is-official rocky

NAME                          DESCRIPTION
docker.io/library/rockylinux  The official build of Rocky Linux.

# --list-tags

podman search --list-tags docker.io/library/rockylinux

# --limit=limit

Limit the number of results (default 25).

pull

# name[:tag]

podman pull docker.io/library/rockylinux:8

image list

list local image

image tree

podman image tree myrock8

Image ID: b97594aed070
Tags:     [localhost/myrock8:v1 localhost/myrock8:latest]
Size:     431.9MB
Image Layers
├── ID: 44e6e3eb06d8 Size: 201.9MB Top Layer of: [docker.io/rockylinux/rockylinux:8.6]
├── ID: c78d5d722c03 Size: 23.04kB
├── ID: 1220167252e8 Size: 136.2MB
└── ID: 479813204267 Size: 93.69MB Top Layer of: [localhost/myrock8:v1 localhost/myrock8:latest]

P.S.

podman image inspect myrock8 | jq '.[].RepoTags, .[].RootFS'

[
  "localhost/myrock8:v1",
  "localhost/myrock8:latest"
]
{
  "Type": "layers",
  "Layers": [
    "sha256:44e6e3eb06d8ec453315fb8767b27ef54f69ca5c5364b6251d6bb2b907cc14bc",
    "sha256:ce22a1c72a329cbcfdf669cc4e1c9168e7943e768447c1095db99d6f329cdddd",
    "sha256:db2bf7c96010f30905ff7c31296d9fb75230cb44efa9459e1f25edc6286fa4b8",
    "sha256:2f3490b03e2c9ae98b0b699ac007146dd38866779075a82225017400919007e9"
  ]
}

history

Show history of a specified image

rmi

Removes one or more images from local storage

tag & untag

tag: Add an additional name to a local image

podman images

localhost/www-v3                 latest      9688b374182e  19 hours ago  602 MB

# If a specified name does not include a tag, :latest will be appended

podman tag 9688b374182e www:v3

localhost/www-v3                 latest      9688b374182e  19 hours ago  602 MB
localhost/www                    v3          9688b374182e  19 hours ago  602 MB

為 image 設定 latest tag

podman tag b97594aed070 myrock8:v1

podman tag myrock8:v1 myrock8

untag: Remove one or more names from an image in the local storage.

# If no name is specified, all names are removed from the image.

podman untag 9688b374182e

<none>                           <none>      9688b374182e  19 hours ago  602 MB

untag 一個名

podman untag b97594aed070 mypod-v2

Notes

[1] If a specified name is a short name and does not include a registry,
      localhost/ will be prefixed (e.g., fedora -> localhost/fedora).

[2] If a specified name does not include a tag,
     :latest will be appended (e.g., localhost/fedora -> localhost/fedora:latest).

 


Volume

 

--volume, -v=[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]

* docker default 係用 overlay fs, 它是用 volatile mount 的 !!

# mount cgroup readonly (必須是 readonly !!)

--volume /sys/fs/cgroup:/sys/fs/cgroup:ro

---

# mount Folder to container

# -v /HOST-DIR:/CONTAINER-DIR

-v $volroot/data:/var/lib/mysql

---

# mount file to container

-v $ssh_key:/root/.ssh/authorized_keys:ro

 


Network & Firewall

 

rootful and rootless container networking

unprivileged users cannot create networking interfaces on the host

unprivileged users must use ports 1024 through 65535 as lower ports require root privileges.

the default network mode is slirp4netns

Slirp4netns creates a TAP device in the container’s network namespace and

    connects to the usermode TCP/IP stack.

One of the drawbacks of slirp4netns is that the containers are completely isolated from each other.

Network (RUN 時的 Settings)

expose

--expose=port

Expose a port, or a range of ports (e.g. --expose=3300-3310) to set up port redirection on the host system.

to set up port redirection on the host system.

publish

--publish, -p=[[ip:][hostPort]:]containerPort[/protocol]

Publish a container’s port, or range of ports, to the host.

If host IP is set to 0.0.0.0 or not set at all, the port will be bound on all IPs on the host.

By default, Podman will publish TCP ports. To publish a UDP port instead, give udp as protocol.

Checking

netstat -ntlp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
...
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      17053/conmon
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      17053/conmon

conmon = /usr/bin/conmon

--expose vs --publish

1) If you specify neither EXPOSE nor -p, the service in the container will only be accessible from inside the container itself.

2) If you EXPOSE a port, the service in the container is not accessible from outside Docker,

    but from inside other Docker containers. So this is good for inter-container communication.

3) If you EXPOSE and -p a port, the service in the container is accessible from anywhere, even outside Docker. -p includes EXPOSE

--network=mode, --net=mode

mode: bridge[:OPTS,…]            # This is the default for rootful containers.

Create a network stack on the default bridge.

You can use the --network option multiple times to specify additional networks.

OPTS

ip=IPv4                   # Specify a static ipv4 address for this container

interface_name    # Specify a name for the created network interface inside the container

i.e.

--network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99

mode: <network name or ID>[:OPTIONS,…]

Connect to a user-defined network;

This is the network name or ID from a network created by "podman network create".

它與 "mode: bridge" 有同樣的 OPTS

mode: private

Create a new namespace for the container.

This will use the bridge mode for rootful containers and slirp4netns for rootless ones.

 

List port expose

# port [container|-a]              List port mappings for a container

podman port nginx

80/tcp -> 0.0.0.0:80
443/tcp -> 0.0.0.0:443

Firewall

每當 "firewall-cmd --reload" 後. 必須行以下其中一句 CLI !!

podman network reload container-ID

podman network reload --all

 


RUN

 

CMD vs ENTRYPOINT

Docker has a default entrypoint which is /bin/sh -c but does not have a default command.

The command is run via the entrypoint

the actual thing that gets executed is "/bin/sh -c bash"

--add-host=host:ip

Add a line to /etc/hosts. The format is

hostname:ip

The --add-host option can be set multiple times.

主機 hosts 的內容本身會加到 container, 不用 "--add-host="

--dns=ipaddr

Set custom DNS servers.

--ip=ipv4

Specify a static IPv4 address for the container
This option can only be used if the container is joined to only a single network
(--network=network-name)
指定的 IP 要在 --ip-range 內

--tz=timezone

Set timezone in container.

/usr/share/zoneinfo/

env

--env, -e=env

Set environment variables.

--env-file=file

--hostuser=name, -h=name

Add a user account to /etc/passwd from the host to the container. The Username or UID must exist on the host system.

--passwd

Allow Podman to add entries to /etc/passwd and /etc/group when used in conjunction with the --user option.

--passwd-entry=ENTRY

Customize the entry that is written to the /etc/passwd file within the container when --passwd is used.

--user, -u=user[:group]

Sets the username or UID used and, optionally, the groupname or GID for the specified command.

Both user and group may be symbolic or numeric.

--label, -l=key=value

Add metadata to a container.

--mount=type=TYPE,TYPE-SPECIFIC-OPTION[,…]

Attach a filesystem mount to the container

Current supported mount TYPEs are bind, volume, image, tmpfs and devpts.

--secret=secret[,opt=opt …]

A secret is a blob of sensitive data which a container needs at runtime but should not be stored in the image or in source control,

such as usernames and passwords, TLS certificates and keys, SSH keys or other important generic strings or binary content (up to 500 kb in size).

When secrets are specified as type mount, the secrets are copied and mounted into the container when a container is created.

 


Rockylinux with systemd

 

下載一個 image 先

https://hub.docker.com/r/rockylinux/rockylinux

podman pull docker.io/rockylinux/rockylinux

建立行 systemd 的 POD

Containerfile                # which contains instructions for building the image

FROM docker.io/rockylinux/rockylinux:8
ENV container docker
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == \
systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/usr/sbin/init"]

建立

podman build --rm -t r8-systemd .

-t imageName                   # 會自動叫 localhost/imageName

--rm                                 # Remove intermediate containers after a successful build (default true).

--file, -f=Containerfile.txt   # Default: Containerfile

Run systemd POD

docker run -dit \
  --privileged \
  --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \
  --name mytest \
  localhost/r8-systemd

 * In order to run a container with systemd,
    you will need to mount the cgroups volumes from the host.

Custom POD

# exec - Run a process in a running container

podman exec -it mytest bash

dnf install epel-release
dnf install vim screen wget curl iproute procps-ng passwd
dnf install openssh-server rsyslog

sshd Service start failed

.. sshd[395]: fatal: linux_audit_write_entry failed: Operation not permitted
.. sshd[395]: pam_unix(sshd:session): session closed for user root
.. sshd[395]: fatal: linux_audit_write_entry failed: Operation not permitted
.. sshd[404]: fatal: mm_request_send: write: Broken pipe

原因: podman dropped the audit_write capability by default.

 

Fix:

podman run --cap-add AUDIT_WRITE \
-p 22000:22 --expose=22 -dit centos:7 \
/bin/bash -c "yum install -y openssh-server && ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' && /usr/sbin/sshd -Dd"

 


export & import

 

export

Export container’s filesystem contents as a tar archive

 * writes to STDOUT by default
 * The image of the container exported by podman export can be imported by podman import.

import

Import a tarball to create a filesystem image

Notes

export vs save

export

It contains the same files as the image that started the container but without history and metadata.

save

preserves the "image" layer information, including all history and metadata

 


save & load

 

save

podman save [options] name[:tag]

Save image to an archive

--format=format

  • docker-archive
  • oci-archive

* podman save writes to STDOUT by default

ie.

podman save > alpine-all.tar alpine

load

Load an image from container archive

podman load loads an image from either an oci-archive or

    a docker-archive stored on the local machine into container storage.

i.e.

zcat www-v3.tar.gz | podman load

 


commit 與 build

 

build

Build an image using instructions from Containerfiles

commit

Create new image based on the changed container

OPT

--author, -a=author

--include-volumes

Include in the committed image any volumes added to the container by

    the --volume or --mount OPTIONS to the podman create and podman run commands.

--format, -f=oci | docker

--change, -c=instruction

Apply the following possible instructions to the created image:

  •     CMD
  •     ENTRYPOINT
  •     ENV
  •     EXPOSE
  •     LABEL
  •     ONBUILD
  •     STOPSIGNAL
  •     USER
  •     VOLUME
  •     WORKDIR

--message, -m=message

Set commit message for committed image.

IMPORTANT: The message field is not supported in oci format.

--pause, -p              # The default is false.

Pause the container when creating an image.

--squash, -s            # The default is false.

Squash newly built layers into a single new layer.

i.e.

[1]

podman commit -a tim mytest mypod-v1

[2]

podman commit
 --change CMD=/bin/bash \
 --change ENTRYPOINT=/bin/sh \
 reverent_golick image-committed

 


Checkpointing

 

Checkpointing a container stops the container while writing the state of all processes in the container to disk.

This capability requires CRIU 3.11 or later installed on the system.(https://criu.org/Main_Page)

Checkpoints currently work with root containers only.

podman container checkpoint <container_id>

podman container restore <container_id>

 


logs

 

podman run -it --rm -d -p 8080:80 --name web nginx:alpine

podman logs web

podman logs --tail 10 web

 


healthcheck

 

podman healthcheck run CONTAINER

Runs the healthcheck command defined in a running container manually.

    0 = healthcheck command succeeded
    1 = healthcheck command failed
    125 = an error has occurred

--health-cmd="command" | "["command", "arg1", …]"

The command is a command to be executed inside your container that determines your container health.

--health-on-failure=action

  • none: Take no action (default)
  • kill: Kill the container
  • restart: Restart the container.
    Do not combine the restart action with the --restart flag.
    When running inside of a systemd unit, consider using the kill or stop action
    instead to make use of systemd’s restart policy.
  • stop: Stop the container

===========

--health-interval=30s
--health-retries=3
--health-timeout=30
--health-start-period=0s

===========

--restart

Restart policy to follow when containers exit.

Restart policy will not take effect if a container is stopped via the podman kill or podman stop commands.

Please note that restart will not restart containers after a system reboot.

Valid policy values are:

  • no : Do not restart containers on exit
  • on-failure[:max_retries]
  • always: Restart containers when they exit, regardless of status
  • unless-stopped: Identical to always
     

Auto start container

 

Autostart Podman Containers - Add the container to systemd

podman ps

# NAMES = Container Name

podman generate systemd \
    --new --name NAMES \
    > /etc/systemd/system/NAMES.service

--new

Using this flag will yield unit files that do not expect containers and pods to exist.
Instead, new containers and pods are created based on their configuration files.
"--new" only works on containers and pods created directly via Podman.
It does not work on containers or pods created via the REST API or via podman kube play.

ExecStart=/usr/bin/podman run ...
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id

i.e.

/etc/systemd/system/nginx.service

[Service]
Restart=on-failure
ExecStart=/usr/bin/podman run \
        --cidfile=%t/%n.ctr-id \
        --cgroups=no-conmon \
        --rm \
        --sdnotify=conmon \
        --replace \
        -dit \
        --privileged \
        --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \
        ...
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all

no "--new"

ExecStart=/usr/bin/podman start nginx
ExecStop=/usr/bin/podman stop -t 10 nginx
ExecStopPost=/usr/bin/podman stop -t 10 nginx

systemctl list-unit-files | grep nginx

nginx.service                              disabled

systemctl enable nginx

systemctl start nginx

systemctl status nginx

● nginx.service - Podman container-nginx.service
   Loaded: loaded (/etc/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-10-26 13:27:16 HKT; 5s ago

Stop Container

If you try to run "podman stop nginx",

  => the container will be restarted by systemd because of to the “Restart=on-failure” policy.

More info: systemd restart

systemctl stop nginx

 


volatile mount

 

Volatile mounts are not guaranteed to survive a crash.
It is strongly recommended that volatile mounts are only used if data written to the overlay can be recreated without significant effort.

The advantage of mounting with the “volatile” option is that all forms of sync calls to the upper filesystem are omitted.

When overlay is mounted with “volatile” option, the directory “$workdir/work/incompat/volatile” is created.
During next mount, overlay checks for this directory and refuses to mount if present.
This is a strong indicator that user should throw away upper and work directories and create fresh one.

 


conmon program

 

When Podman starts a container it actually executes the conmon program, which then executes the OCI Runtime. Conmon is the container monitor. It is a small program whose job is to watch the primary process of the container, and if the container dies, save the exit code. It also holds open the tty of the container, so that it can be attached to later. This is what allows Podman to run in detached mode (backgrounded), so Podman can exit but conmon continues to run. Each container has their own instance of conmon. Conmon waits for the container to exit, gathers and saves the exit code, and then launches a Podman process to complete the container cleanup, by shutting down the network and storage.

help

man 8 conmon

conmon --version

conmon version 2.1.2
commit: 98e028a5804809ccb49bc099c0d53adc43ef8cc4

 


podman-gvproxy

 

It is based on the network stack of gVisor.

Compared to libslirp, gvisor-tap-vsock
brings a configurable DNS server and dynamic port forwarding.

written in pure Go

It running on the host runs a virtual gateway that can be used by the VM

 


Rocky 8 App

 

mysql

  • /etc/my.cnf.d/
  • /var/lib/mysql/
  • /var/log/mysql/                                # log

nginx

  • /etc/nginx
  • /var/log/nginx                                  # log
  • /usr/share/nginx/html

apache & php

  • /etc/httpd
  • /etc/opt/remi/php80/
  • /home/vhosts
  • /var/log/httpd                                   # log
  • /var/opt/remi/php80/log/php-fpm      # log
  • /var/opt/remi/php80/lib/php/session

 


Cleanup contrainer script

 

cleanup.sh

#!/bin/bash

rm -f /etc/*-
dnf clean all
logrotate -f /etc/logrotate.conf
rm /var/log/*-* -f
> /var/log/lastlog
> /var/log/dnf.log
> /var/log/dnf.librepo.log
> /var/log/dnf.rpm.log
> /var/log/lastlog
rm -f /var/log/anaconda/*
history -c

 


runc

 

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.

  • Linux namespaces full support
  • Native support of Linux security features such as Selinux, Apparmor
  • Specifications governed by Open Container Initiative

low-level: runc

high-level: CRI-O, podman, containerd

它與 runC 的關係

Podman 直接調用 OCI runtime(runC), 通過 common 作為容器處理程序的管理工具