-e5651c91ea8f4875ab4272337398cabe.JPG)
podman网络
先进行网络设置
[root@localhost ~]# alias docker=podman
[root@localhost ~]# alias
alias cp='cp -i'
alias docker='podman'
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
alias grep='grep --color=auto'
alias l.='ls -d .* --color=auto'
alias ll='ls -l --color=auto'
alias ls='ls --color=auto'
alias mv='mv -i'
alias rm='rm -i'
alias which='(alias; declare -f) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot'
alias xzegrep='xzegrep --color=auto'
alias xzfgrep='xzfgrep --color=auto'
alias xzgrep='xzgrep --color=auto'
alias zegrep='zegrep --color=auto'
alias zfgrep='zfgrep --color=auto'
alias zgrep='zgrep --color=auto'
运行两个容器
[root@localhost ~]# podman run -it --name test1 docker.io/library/busybox /bin/sh
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 3cb635b06aa2 done
Copying config ffe9d497c3 done
Writing manifest to image destination
Storing signatures
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether b6:b5:da:39:e5:cd brd ff:ff:ff:ff:ff:ff
inet 10.88.0.2/16 brd 10.88.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::b4b5:daff:fe39:e5cd/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]# podman run -it --name test2 docker.io/library/busybox /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether ea:e9:99:ed:a5:d3 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.3/16 brd 10.88.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::e8e9:99ff:feed:a5d3/64 scope link
valid_lft forever preferred_lft forever
//尝试ping
/ # ping 10.88.0.3
PING 10.88.0.3 (10.88.0.3): 56 data bytes
64 bytes from 10.88.0.3: seq=0 ttl=64 time=0.040 ms
64 bytes from 10.88.0.3: seq=1 ttl=64 time=0.054 ms
64 bytes from 10.88.0.3: seq=2 ttl=64 time=0.047 ms
64 bytes from 10.88.0.3: seq=3 ttl=64 time=0.035 ms
CNI:Container Network Interface(容器网络接口)
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:3e:7a:8e brd ff:ff:ff:ff:ff:ff
inet 192.168.160.122/24 brd 192.168.160.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe3e:7a8e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether d2:a0:71:bf:87:75 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::d0a0:71ff:febf:8775/64 scope link
valid_lft forever preferred_lft forever
4: vethcff77b4a@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether 92:1d:1e:10:09:b7 brd ff:ff:ff:ff:ff:ff link-netns cni-cc846b59-0fc0-390a-58d6-c73b0a6471b6
inet6 fe80::901d:1eff:fe10:9b7/64 scope link
valid_lft forever preferred_lft forever
5: vethbf5e9a9e@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman0 state UP group default
link/ether c6:90:1b:88:1b:99 brd ff:ff:ff:ff:ff:ff link-netns cni-0903f2fb-9e94-da9a-563e-d13f5cd4c7e9
inet6 fe80::c490:1bff:fe88:1b99/64 scope link
valid_lft forever preferred_lft forever
查看正在运行的容器
[root@localhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b6de79b80c66 docker.io/library/busybox:latest /bin/sh 4 minutes ago Up 4 minutes ago test1
97e2cd8782b4 docker.io/library/busybox /bin/sh 2 minutes ago Up 2 minutes ago test2
停止/退出test1和test2容器
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:3e:7a:8e brd ff:ff:ff:ff:ff:ff
inet 192.168.160.122/24 brd 192.168.160.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe3e:7a8e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether d2:a0:71:bf:87:75 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
valid_lft forever preferred_lft forever
inet6 fe80::d0a0:71ff:febf:8775/64 scope link
valid_lft forever preferred_lft forever
podman防火墙规则
查看防火墙规则
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
现在没有规则
运行容器,做一个端口映射
[root@localhost ~]# podman run -td -p 80:80 --name web docker.io/library/httpd:latest
360c56837efa78411731d6a0cf2976c648c8c4bcfc5d2e59c2497e481f58cd88
查看防火墙是否多了一条新的规则
[root@localhost ~]# iptables -t nat -nvL
Chain CNI-DN-d4a81ddd2a84c3b5caf96 (1 references)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.88.0.0/16 0.0.0.0/0 tcp dpt:80
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.88.0.4:80
查看IP能访问
[root@localhost ~]# podman inspect -l|grep -i address
"IPAddress": "10.88.0.4",
"GlobalIPv6Address": "",
"MacAddress": "92:55:5e:76:af:04",
"LinkLocalIPv6Address": "",
"IPAddress": "10.88.0.4",
"GlobalIPv6Address": "",
"MacAddress": "92:55:5e:76:af:04",
访问
[root@localhost ~]# curl 10.88.0.4
<html><body><h1>It works!</h1></body></html>
清空防火墙规则
[root@localhost ~]# iptables --flush
[root@localhost ~]# iptables -t nat -F
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain CNI-d4a81ddd2a84c3b5caf96cf7 (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-SETMARK (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-MASQ (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-DNAT (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-DN-d4a81ddd2a84c3b5caf96 (0 references)
pkts bytes target prot opt in out source destination
此时可以发现防火墙规则已经还原
我们再去访问:
[root@localhost ~]# curl 10.88.0.4
curl: (7) Failed to connect to 10.88.0.4 port 80:No route to host
访问不到
使用podman network reload web重载一遍
[root@localhost ~]# podman network reload web
360c56837efa78411731d6a0cf2976c648c8c4bcfc5d2e59c2497e481f58cd88
再去查看防火墙规则
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd requiring masquerade */
0 0 CNI-d4a81ddd2a84c3b5caf96cf7 all -- * * 10.88.0.4 0.0.0.0/0 /* name: "podman" id: "360c56837efa78411731d6a0cf2976c648c8c4bcfc5d2e59c2497e481f58cd88" */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain CNI-HOSTPORT-SETMARK (2 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd masquerade mark */ MARK or 0x2000
Chain CNI-HOSTPORT-MASQ (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000/0x2000
Chain CNI-HOSTPORT-DNAT (2 references)
pkts bytes target prot opt in out source destination
0 0 CNI-DN-d4a81ddd2a84c3b5caf96 tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "podman" id: "360c56837efa78411731d6a0cf2976c648c8c4bcfc5d2e59c2497e481f58cd88" */ multiport dports 80
Chain CNI-d4a81ddd2a84c3b5caf96cf7 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 10.88.0.0/16 /* name: "podman" id: "360c56837efa78411731d6a0cf2976c648c8c4bcfc5d2e59c2497e481f58cd88" */
0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "podman" id: "360c56837efa78411731d6a0cf2976c648c8c4bcfc5d2e59c2497e481f58cd88" */
Chain CNI-DN-d4a81ddd2a84c3b5caf96 (1 references)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.88.0.0/16 0.0.0.0/0 tcp dpt:80
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.88.0.4:80
发现恢复了
配置文件
podman的桥配置文件,容器里面的IP可通过这个控制
[root@localhost ~]# cat /etc/cni/net.d/87-podman-bridge.conflist
{
"cniVersion": "0.4.0",
"name": "podman",
"plugins": [
{
"type": "bridge",
"bridge": "cni-podman0",
"isGateway": true,
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"routes": [{ "dst": "0.0.0.0/0" }],
"ranges": [
[
{
"subnet": "10.88.0.0/16",
"gateway": "10.88.0.1"
}
]
]
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
},
{
"type": "firewall"
},
{
"type": "tuning"
}
]
}
查看attach子命令的用法
[root@localhost ~]# man podman-attach
podman-attach(1) General Commands Manual podman-attach(1)
NAME
podman-attach - Attach to a running container
SYNOPSIS
podman attach [options] container
podman container attach [options] container
DESCRIPTION
The attach command allows you to attach to a running container using the container's ID or name, either to view its ongoing
output or to control it interactively.
You can detach from the container (and leave it running) using a configurable key sequence. The default sequence is
ctrl-p,ctrl-q. Configure the keys sequence using the --detach-keys option, or specifying it in the containers.conf file: see
containers.conf(5) for more information.
OPTIONS
--detach-keys=sequence
Specify the key sequence for detaching a container. Format is a single character [a-Z] or one or more ctrl-<value> characters
where <value> is one of: a-z, @, ^, [, , or _. Specifying "" will disable this feature. The default is ctrl-p,ctrl-q.
--latest, -l
Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run
containers such as CRI-O, the last started container could be from either of those methods.
The latest option is not supported on the remote client.
--no-stdin
Do not attach STDIN. The default is false.
--sig-proxy=true|false
Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is true.
EXAMPLES
$ podman attach foobar
[root@localhost /]#
$ podman attach --latest
[root@localhost /]#
$ podman attach 1234
[root@localhost /]#
$ podman attach --no-stdin foobar
SEE ALSO
podman(1), podman-exec(1), podman-run(1), containers.conf(5)
设置开机自启
ROOT
创建容器不启动
[root@localhost ~]# podman create --name nginx nginx:latest
a105edbc50c1c593279dd968b9d799cb8be9f995e636811cdca398161b6d9a0d
生成service文件
[root@localhost ~]# podman generate systemd --files --name nginx
/root/container-nginx.service
移动到systemd下
[root@localhost ~]# podman generate systemd --files --name nginx
/root/container-nginx.service
[root@localhost ~]# mv container-nginx.service /usr/lib/systemd/system/
[root@localhost ~]# systemctl status container-nginx
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/usr/lib/systemd/system/container-nginx.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
容器设置开机自启
[root@localhost ~]# systemctl enable --now container-nginx
Created symlink /etc/systemd/system/multi-user.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service.
Created symlink /etc/systemd/system/default.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service.
[root@localhost ~]# systemctl status container-nginx
● container-nginx.service - Podman container-nginx.service
Loaded: loaded (/usr/lib/systemd/system/container-nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2021-12-15 04:37:43 CST; 10s ago
Docs: man:podman-generate-systemd(1)
Process: 3545 ExecStart=/usr/bin/podman start nginx (code=exited, status=0/SUCCESS)
Main PID: 3637 (conmon)
Tasks: 2 (limit: 23491)
Memory: 1.9M
CGroup: /system.slice/container-nginx.service
└─3637 /usr/bin/conmon --api-version 1 -c a105edbc50c1c593279dd968b9d799cb8be9f995e636811cdca398161b6d9a0d -u a105edbc50c1c593>
普通用户
切换用户
[root@localhost ~]# su - admin
创建一个容器但不启动
[admin@localhost ~]$ podman create --name web nginx:latest
ae654fe471a2fed9789c7003401739b314857adfbf5239ad31ccfceae2dcfd3f
创建一个用户
[admin@localhost ~]$ cd .config/
[admin@localhost .config]$ mkdir -p systemd/user
[admin@localhost .config]$ tree
.
└── systemd
└── user
生成service文件
[admin@localhost user]$ podman generate systemd --files --name web
/home/admin/.config/systemd/user/container-web.service
加载一下
[admin@localhost user]$ systemctl daemon-reload
==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ====
Authentication is required to reload the systemd state.
Authenticating as: root
Password:
==== AUTHENTICATION COMPLETE ====
[admin@localhost user]$ systemctl status container-web --user
Failed to connect to bus: 没有那个文件或目录
评论区