| podman网络、常用命令、以及容器的开机自启 | 您所在的位置:网站首页 › 删除端口映射命令 › podman网络、常用命令、以及容器的开机自启 |
podman网络、常用命令、以及容器的开机自启
|
podman网络、常用命令、以及容器的开机自启
1. podman网络1.1 rootfull和rootless容器网络之间的差异1.2 防火墙基本网络设置1.3 容器间通信示例:1.4 查看防火墙规则
2. podman常用命令3. 容器的开机自启普通用户设置容器的开机自启
1. podman网络
1.1 rootfull和rootless容器网络之间的差异
podman容器联网的指导因素之一将是容器是否由root用户运行。这是因为非特权用户无法在主机上创建网络接口。因此,对于rootfull容器,默认网络模式是使用容器网络接口(CNI)插件,特别是桥接插件。对于rootless,默认的网络模式是slir4netns。由于权限有限,slirnetns缺少CNI组网的一些功能;例如,slirp4netns无法为容器提供可路由的IP地址。cni是容器网络接口 1.2 防火墙防火墙的作用不会影响网络的设置和配置,但会影响这些网络上的流量。最明显的是容器主机的入站网络流量,这些流量通常通过端口映射传递到容器上。根据防火墙的实现,我们观察到防火墙端口由于运行带有端口映射的容器(例如)而自动打开。如果容器流量似乎无法正常工作,请检查防火墙并允许容器正在使用的端口号上的流量。一个常见的问题是重新加载防火墙会删除cni iptables规则,从而导致rootful容器的网络连接丢失。podman v3提供了podman network reload命令来恢复它而无需重新启动容器。 基本网络设置大多数使用 Podman 运行的容器和 Pod 都遵循几个简单的场景。默认情况下,rootfull Podman 将创建一个桥接网络。这是 Podman 最直接和首选的网络设置。桥接网络在内部桥接网络上为容器创建一个接口,然后通过网络地址转换(NAT)连接到互联网。我们还看到用户也希望macvlan 用于联网。这macvlan插件将整个网络接口从主机转发到容器中,允许它访问主机所连接的网络。最后,无根容器的默认网络配置是 slirp4netns。slirp4netns 网络模式功能有限,但可以在没有 root 权限的用户上运行。它创建了一个从主机到容器的隧道来转发流量。 1.3 容器间通信示例: [root@localhost ~]# podman run -it --name test docker.io/library/busybox:latest /bin/sh // 启动一个test容器 / # ip a 1: lo: mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0@if4: mtu 1500 qdisc noqueue link/ether 52:88:dc:58:af:08 brd ff:ff:ff:ff:ff:ff inet 10.88.0.2/16 brd 10.88.255.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::5088:dcff:fe58:af08/64 scope link valid_lft forever preferred_lft forever // 再启动一个test1的容器 [root@localhost ~]# podman run -it --name test1 docker.io/library/busybox:latest /bin/sh / # ping -c2 10.88.0.2 PING 10.88.0.2 (10.88.0.2): 56 data bytes 64 bytes from 10.88.0.2: seq=0 ttl=64 time=0.087 ms 64 bytes from 10.88.0.2: seq=1 ttl=64 time=0.080 ms --- 10.88.0.2 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.080/0.083/0.087 ms// 每当启动一个容器就会在宿主机上启动一个veth类型的网卡,当容器停止运行就会关闭 [root@localhost ~]# ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:e4:2b:70 brd ff:ff:ff:ff:ff:ff inet 192.168.182.151/24 brd 192.168.182.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fee4:2b70/64 scope link valid_lft forever preferred_lft forever 3: cni-podman0: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether ca:18:8f:f7:90:cc brd ff:ff:ff:ff:ff:ff inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0 valid_lft forever preferred_lft forever inet6 fe80::c818:8fff:fef7:90cc/64 scope link valid_lft forever preferred_lft forever 4: veth068c0b11@if2: mtu 1500 qdisc noqueue master cni-podman0 state UP group default link/ether 6a:b9:83:ce:04:eb brd ff:ff:ff:ff:ff:ff link-netns cni-9fe9f57d-2a01-c3fe-4dfa-a0d2213ff9a1 inet6 fe80::68b9:83ff:fece:4eb/64 scope link valid_lft forever preferred_lft forever 5: vethb5141e5a@if2: mtu 1500 qdisc noqueue master cni-podman0 state UP group default link/ether 7e:d1:e5:fe:28:15 brd ff:ff:ff:ff:ff:ff link-netns cni-4d8b67ae-52cd-b9c9-3f58-d56ccd1d70c7 inet6 fe80::7cd1:e5ff:fefe:2815/64 scope link valid_lft forever preferred_lft forever 1.4 查看防火墙规则 [root@localhost ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination// 运行容器测试 // 当运行一个容器之后就会自动给容器添加一个规则,并放行其端口号 [root@localhost ~]# podman run -d -p 80:80 --name web --rm docker.io/library/httpd [root@localhost ~]# iptables -t nat -nvL Chain CNI-HOSTPORT-DNAT (2 references) pkts bytes target prot opt in out source destination 0 0 CNI-DN-221138b7a7c984de5db72 tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "podman" id: "2a378d287e05363c44bcd4bddbf62bcdaa59dbf58b52dfe413c66051e94af9d8" */ multiport dports 80 [root@localhost ~]# podman inspect -l | grep -i address //查看容器的IP地址 "IPAddress": "10.88.0.6", "GlobalIPv6Address": "", "MacAddress": "32:5f:7b:f4:53:ad", "LinkLocalIPv6Address": "", "IPAddress": "10.88.0.6", "GlobalIPv6Address": "", "MacAddress": "32:5f:7b:f4:53:ad", [root@localhost ~]# curl 10.88.0.6 //访问测试 It works!// 使用重启容器恢复防火墙规则 [root@localhost ~]# iptables -t nat -F //清空防火墙规则 [root@localhost ~]# iptables -t nat -nvL // 没有80了 [root@localhost ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain CNI-HOSTPORT-SETMARK (0 references) pkts bytes target prot opt in out source destination Chain CNI-HOSTPORT-MASQ (0 references) pkts bytes target prot opt in out source destination Chain CNI-HOSTPORT-DNAT (0 references) pkts bytes target prot opt in out source destination Chain CNI-221138b7a7c984de5db72695 (0 references) pkts bytes target prot opt in out source destination Chain CNI-DN-221138b7a7c984de5db72 (0 references) pkts bytes target prot opt in out source destination // 重启容器 [root@localhost ~]# podman restart -l 73d028b2e5469bc836c0aa613b0ccf852a42098c64a70128516537f74906e348 [root@localhost ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 76 CNI-HOSTPORT-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd requiring masquerade */ 0 0 CNI-22189af7f3e87acc96dda61c all -- * * 10.88.0.10 0.0.0.0/0 /* name: "podman" id: "73d028b2e5469bc836c0aa613b0ccf852a42098c64a70128516537f74906e348" */ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain CNI-HOSTPORT-SETMARK (2 references) pkts bytes target prot opt in out source destination 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd masquerade mark */ MARK or 0x2000 Chain CNI-HOSTPORT-MASQ (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000/0x2000 Chain CNI-HOSTPORT-DNAT (2 references) pkts bytes target prot opt in out source destination 0 0 CNI-DN-22189af7f3e87acc96dda tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "podman" id: "73d028b2e5469bc836c0aa613b0ccf852a42098c64a70128516537f74906e348" */ multiport dports 80注意重启之后需要耐心等待一段时间才可以访问到界面 更多信息请见官网 CNI 网络配置目录的路径 /etc/cni/net.d //可以在此文件/etc/cni/net.d/87-podman.conflist修改网段以及网络的模式 /usr/share/containers/containers.conf //在此文件的[engine] 表的 env 设置环境变量,可以用来设置container.conf 文件的默认位置,设置registries.conf 文件的默认位置等。 常用命令作用podman attach附加到正在运行的容器。podman auto update根据其自动更新策略自动更新容器podman build使用 Containerfile 构建容器映像。podman commit根据更改的容器创建新图像。podman completion生成 shell 完成脚本podman container管理容器。podman cp在容器和本地文件系统之间复制文件/文件夹。podman create创建一个新容器。podman diff检查容器或映像文件系统上的更改。podman events监控 Podman 事件podman exec在正在运行的容器中执行命令。podman export将容器的文件系统内容导出为 tar 存档。podman generate基于容器、Pod 或卷生成结构化数据。podman healthcheck管理容器的健康检查podman history显示图像的历史记录。podman image管理图像。podman images列出本地存储中的图像。podman import导入 tarball 并将其另存为文件系统映像。podman info显示 Podman 相关的系统信息.podman init初始化一个或多个容器podman inspect显示容器、镜像、卷、网络或 pod 的配置。podman kill杀死一个或多个容器中的主进程。podman load将 tar 存档中的图像加载到容器存储中。podman login登录到容器注册表。podman logout注销容器注册表。podman logs显示一个或多个容器的日志。podman machine管理 Podman 的虚拟机podman manifest创建和操作清单列表和图像索引。podman mount挂载一个工作容器的根文件系统。podman network管理 Podman CNI 网络。podman pause暂停一个或多个容器。podman play根据结构化输入文件播放容器、Pod 或卷。podman pod容器组的管理工具,称为 pod。podman port列出容器的端口映射。podman ps打印出有关容器的信息。podman pull从注册表中拉取镜像。podman push将镜像、清单列表或镜像索引从本地存储推送到其他地方。podman rename重命名现有容器。podman restart重启一个或多个容器。podman rm移除一个或多个容器。podman rmi删除一个或多个本地存储的镜像。podman run在新容器中运行命令。podman save将镜像保存到存档。podman search在注册表中搜索图像。podman secret管理 podman 机密。podman start启动一个或多个容器。podman stats显示一个或多个容器的资源使用统计的实时流。podman stop停止一个或多个正在运行的容器。podman system管理 podman。podman tag向本地镜像添加附加名称。podman top显示容器的运行进程。podman unmount卸载工作容器的根文件系统。podman unpause取消暂停一个或多个容器。podman unshare在修改后的用户命名空间内运行命令。podman untag从本地存储的图像中删除一个或多个名称。podman version显示 Podman 版本信息。podman volume简单的卷管理工具。podman wait等待一个或多个容器停止并打印其退出代码。常用命令的示例: [root@localhost ~]# podman pull docker.io/library/nginx:latest //拉取一个nginx镜像 [root@localhost ~]# podman run -itd --name web01 nginx:latest //运行一个容器 [root@localhost ~]# podman commit -p -c "写在容器运行时要执行的命令" 容器id + 将容器重新命名,最好命名为你docker仓库的名字 // -p是暂停容器 [root@localhost ~]# podman cp 要传的文件或目录写绝对路径 容器的id或名字:要传到容器的那个目录里面去 [root@localhost ~]# podman rm -f 容器的id或名称 //-f是强制删除容器 [root@localhost ~]# podman rmi 删除镜像 [root@localhost ~]# podman rmi $(podman images -aq) //批量删除镜像,批量删除容器(使用rm是删除容器)同理 [root@localhost ~]# podman exec -it web01 /bin/bash //进入容器执行命令 root@5ee21fd9dae7:/# ls bin boot dev docker-entrypoint.d docker-entrypoint.sh etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var [root@localhost ~]# podman history nginx:latest //查看镜像的历史信息 ID CREATED CREATED BY SIZE COMMENT f652ca386ed1 12 days ago /bin/sh -c #(nop) CMD ["nginx" "-g" "daem... 0 B 12 days ago /bin/sh -c #(nop) STOPSIGNAL SIGQUIT 0 B 12 days ago /bin/sh -c #(nop) EXPOSE 80 0 B 12 days ago /bin/sh -c #(nop) ENTRYPOINT ["/docker-en... 0 B 12 days ago /bin/sh -c #(nop) COPY file:09a214a3e07c91... 7.17 kB 12 days ago /bin/sh -c #(nop) COPY file:0fd5fca330dcd6... 3.58 kB 12 days ago /bin/sh -c #(nop) COPY file:0b866ff3fc1ef5... 4.1 kB 12 days ago /bin/sh -c #(nop) COPY file:65504f71f5855c... 3.07 kB 12 days ago /bin/sh -c set -x && addgroup --system... 62 MB 12 days ago /bin/sh -c #(nop) ENV PKG_RELEASE=1~bullseye 0 B 12 days ago /bin/sh -c #(nop) ENV NJS_VERSION=0.7.0 0 B 12 days ago /bin/sh -c #(nop) ENV NGINX_VERSION=1.21.4 0 B 12 days ago /bin/sh -c #(nop) LABEL maintainer=NGINX ... 0 B 12 days ago /bin/sh -c #(nop) CMD ["bash"] 0 B 12 days ago /bin/sh -c #(nop) ADD file:ece5ff85ca549f0... 83.9 MB 3. 容器的开机自启 [root@localhost ~]# podman create --name nginx nginx:latest dc579013274433766bf6cbf29adb9d02ffc8518f37365e6bb4b350f7b68af954 [root@localhost ~]# podman generate systemd --restart-policy=always -t 2 nginx //生成nginx的service文件 # container-dc579013274433766bf6cbf29adb9d02ffc8518f37365e6bb4b350f7b68af954.service # autogenerated by Podman 3.4.1-dev # Tue Dec 14 23:31:26 CST 2021 [Unit] Description=Podman container-dc579013274433766bf6cbf29adb9d02ffc8518f37365e6bb4b350f7b68af954.service Documentation=man:podman-generate-systemd(1) Wants=network-online.target After=network-online.target RequiresMountsFor=/run/containers/storage [Service] Environment=PODMAN_SYSTEMD_UNIT=%n Restart=always TimeoutStopSec=62 ExecStart=/usr/bin/podman start dc579013274433766bf6cbf29adb9d02ffc8518f37365e6bb4b350f7b68af954 ExecStop=/usr/bin/podman stop -t 2 dc579013274433766bf6cbf29adb9d02ffc8518f37365e6bb4b350f7b68af954 ExecStopPost=/usr/bin/podman stop -t 2 dc579013274433766bf6cbf29adb9d02ffc8518f37365e6bb4b350f7b68af954 PIDFile=/run/containers/storage/overlay-containers/dc579013274433766bf6cbf29adb9d02ffc8518f37365e6bb4b350f7b68af954/userdata/conmon.pid Type=forking [Install] WantedBy=multi-user.target default.target [root@localhost ~]# podman generate systemd --files --name nginx //为指定的容器生成service文件 /root/container-nginx.service [root@localhost ~]# cp container-nginx.service /usr/lib/systemd/system/ //将生成的service文件移动到此目录下去 [root@localhost ~]# systemctl daemon-reload //重新加载 [root@localhost ~]# systemctl start container-nginx.service // 启动服务并查看状态 [root@localhost ~]# systemctl status container-nginx.service ● container-nginx.service - Podman container-nginx.service Loaded: loaded (/usr/lib/systemd/system/container-nginx.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2021-12-14 23:37:19 CST; 3s ago Docs: man:podman-generate-systemd(1) Process: 11826 ExecStart=/usr/bin/podman start nginx (code=exited, status=0/SUCCESS) Main PID: 11912 (conmon) Tasks: 3 (limit: 11201) Memory: 4.1M [root@localhost ~]# systemctl enable --now container-nginx.service //设置开机自启 Created symlink /etc/systemd/system/multi-user.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service. Created symlink /etc/systemd/system/default.target.wants/container-nginx.service → /usr/lib/systemd/system/container-nginx.service. 普通用户设置容器的开机自启 首先需要使用ssh的方式连接到普通用户而不能使用sudo或者su命令 [root@localhost ~]# ssh [email protected] // 创建此目录用来存放unit文件 [tom@localhost ~]$ mkdir -p ~/.config/systemduser/user/ // 配置redhat quay registry的证书可信 [root@localhost ~]# scp -rp root@localhost:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/tls/certs/ca-bundle.crt [tom@localhost user]$ mkdir -p /home/user/www [tom@localhost ~]$ podman run -d --name web -v /home/user/www/:/var/www:Z nginx [tom@localhost ~]$ podman generate systemd --name web --files //生成service文件 [tom@localhost ~]$ systemctl --user daemon-reload //重新加载使其生效 [tom@localhost ~]$ systemctl --user enable container-web.service --now //设置开机自启 [tom@localhost ~]$ systemctl --user status container-web.service ● container-web.service - Podman container-web.service Loaded: loaded (/home/tom/.config/systemd/user/container-web.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2021-12-15 01:25:26 CST; 6min ago Docs: man:podman-generate-systemd(1) Main PID: 14602 (conmon) CGroup: /user.slice/user-1000.slice/[email protected]/container-web.service ├─14596 /usr/bin/fuse-overlayfs -o ,lowerdir=/home/tom/.local/share/containers/storage/overlay/l/NLT57YKWNYE3NTVFXZALWZAHSV:/home/tom/.local/share/containers/storage/overlay/l/CKF5ZM> ├─14599 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/cni-2fa95e7f-6aab-641f-8429-daa> ├─14602 /usr/bin/conmon --api-version 1 -c 4bdbd6b7fdb9159d50ccc4a95ee401186634e900a59117d5e90aec57e39bebc5 -u 4bdbd6b7fdb9159d50ccc4a95ee401186634e900a59117d5e90aec57e39bebc5 -r /us> ├─14605 nginx: master process nginx -g daemon off; ├─14624 nginx: worker process └─14625 nginx: worker process |
【本文地址】
公司简介
联系我们