podman是什么
Podman 是一个开源的容器运行时项目,可在大多数 Linux 平台上使用。Podman 提供与 Docker 非常相似的功能。它不需要在你的系统上运行任何守护进程,并且它也可以在没有 root 权限的情况下运行。
Podman 可以管理和运行任何符合 OCI(Open Container Initiative)规范的容器和容器镜像。Podman 提供了一个与 Docker 兼容的命令行前端来管理 Docker 镜像。
Podman和Docker的主要区别是什么?
- docker 在实现 CRI 的时候,它需要一个守护进程,其次需要以 root 运行,因此这也带来了安全隐患。
- podman 不需要守护程序,也不需要 root 用户运行,从逻辑架构上,比 docker 更加合理。
- 在 docker 的运行体系中,需要多个 daemon 才能调用到 OCI 的实现 RunC。
- 在容器管理的链路中,Docker Engine 的实现就是 dockerd daemon,它在 linux 中需要以 root 运行,dockerd 调用 containerd,containerd 调用 containerd-shim,然后才能调用 runC。顾名思义 shim 起的作用也就是“垫片”,避免父进程退出影响容器的运行。
- podman 直接调用 OCI,runtime(runC),通过 common 作为容器进程的管理工具,但不需要 dockerd 这种以 root 身份运行的守护进程。
- 在 podman 体系中,有个称之为 commo n的守护进程,其运行路径通常是 /usr/libexec/podman/conmon,它是各个容器进程的父进程,每个容器各有一个,common 的父则通常是1号进程。podman 中的 common 其实相当于docker体系中的 containerd-shim。podman 不需要守护进程,而 dorker 需要守护进程。
部署podman
1、podman只有Ubuntu21才支持,需要先升级系统至Ubuntu11
操作系统 | 服务器厂商 |
|---|---|
Ubuntu20.14 | 腾讯轻量服务器 |
cd /etc/apt
mv sources.list sources.list_20.14 # 备份原来的配置文件
cat << eof >> sources.list
# 默认注释了源码镜像以提高 apt update 速度,如有需要可自行取消注释
deb http://mirrors.cloud.tencent.com/ubuntu/ impish main restricted universe multiverse
# deb-src http://mirrors.cloud.tencent.com/ubuntu/ impish main restricted universe multiverse
deb http://mirrors.cloud.tencent.com/ubuntu/ impish-updates main restricted universe multiverse
# deb-src http://mirrors.cloud.tencent.com/ubuntu/ impish-updates main restricted universe multiverse
deb http://mirrors.cloud.tencent.com/ubuntu/ impish-backports main restricted universe multiverse
# deb-src http://mirrors.cloud.tencent.com/ubuntu/ impish-backports main restricted universe multiverse
deb http://mirrors.cloud.tencent.com/ubuntu/ impish-security main restricted universe multiverse
# deb-src http://mirrors.cloud.tencent.com/ubuntu/ impish-security main restricted universe multiverse
# 预发布软件源,不建议启用
# deb http://mirrors.cloud.tencent.com/ubuntu/ impish-proposed main restricted universe multiverse
# deb-src http://mirrors.cloud.tencent.com/ubuntu/ impish-proposed main restricted universe multiverse
eof
apt update
apt upgrade -y2、安装podman
代码语言:javascript复制# Ubuntu安装podman
apt install podman -y
# centos安装podman
yum install -y podman
# mac下安装podman
brew install podman
# arch下安装podman
sudo pacman -S podman3、修改默认的容器镜像源以及数据存放目录
代码语言:javascript复制cd /etc/containers/
# centos7修改默认加速器
sed -i -e /[registries.search]/s/[/#[/g -e /registry.access.redhat.com/s/registries/#registries/g registries.conf
cat << eof >> registries.conf
[registries.search]
registries = ["docker.io"]
[[docker.io]]
location="j3m2itm3.mirror.aliyuncs.com"
eof
# centos8以及Ubuntu修改默认加速器
sed -i /unqualified-search-registries/s/unqualified/#unqualified/g registries.conf
cat << eof >> registries.conf
unqualified-search-registries = ["docker.io"]
[[registry]]
prefix = "docker.io"
location = "j3m2itm3.mirror.aliyuncs.com"
eof常用命令
与 docker 命令是类似的,将 docker 命令直接替换为 podman 就行
代码语言:javascript复制root@server:~# podman -h
Manage pods, containers and images
Usage:
podman [options] [command]
Available Commands:
attach Attach to a running container
auto-update Auto update containers according to their auto-update policy
build Build an image using instructions from Containerfiles
commit Create new image based on the changed container
container Manage containers
cp Copy files/folders between a container and the local filesystem
create Create but do not start a container
diff Display the changes to the object's file system
events Show podman events
exec Run a process in a running container
export Export container's filesystem contents as a tar archive
generate Generate structured data based on containers, pods or volumes.
healthcheck Manage health checks on containers
help Help about any command
history Show history of a specified image
image Manage images
images List images in local storage
import Import a tarball to create a filesystem image
info Display podman system information
init Initialize one or more containers
inspect Display the configuration of object denoted by ID
kill Kill one or more running containers with a specific signal
load Load image(s) from a tar archive
login Login to a container registry
logout Logout of a container registry
logs Fetch the logs of one or more containers
machine Manage a virtual machine
manifest Manipulate manifest lists and image indexes
mount Mount a working container's root filesystem
network Manage networks
pause Pause all the processes in one or more containers
play Play containers, pods or volumes from a structured file.
pod Manage pods
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image from a registry
push Push an image to a specified destination
rename Rename an existing container
restart Restart one or more containers
rm Remove one or more containers
rmi Removes one or more images from local storage
run Run a command in a new container
save Save image(s) to an archive
search Search registry for image
secret Manage secrets
start Start one or more containers
stats Display a live stream of container resource usage statistics
stop Stop one or more containers
system Manage podman
tag Add an additional name to a local image
top Display the running processes of a container
unmount Unmounts working container's root filesystem
unpause Unpause the processes in one or more containers
unshare Run a command in a modified user namespace
untag Remove a name from a local image
version Display the Podman Version Information
volume Manage volumes
wait Block on one or more containers
Options:
--cgroup-manager string Cgroup manager to use ("cgroupfs"|"systemd") (default "systemd")
--cni-config-dir string Path of the configuration directory for CNI networks (default "/usr/libexec/cni")
--conmon string Path of the conmon binary
-c, --connection string Connection to use for remote Podman service
--events-backend string Events backend to use ("file"|"journald"|"none") (default "journald")
--help Help for podman
--hooks-dir strings Set the OCI hooks directory path (may be set multiple times) (default [/usr/share/containers/oci/hooks.d])
--identity string path to SSH identity file, (CONTAINER_SSHKEY)
--log-level string Log messages above specified level (trace, debug, info, warn, warning, error, fatal, panic) (default "warn")
--namespace string Set the libpod namespace, used to create separate views of the containers and pods on the system
--network-cmd-path string Path to the command for configuring the network
-r, --remote Access remote Podman service (default false)
--root string Path to the root directory in which data, including images, is stored
--runroot string Path to the 'run directory' where all state information is stored
--runtime string Path to the OCI-compatible binary used to run containers, default is /usr/bin/runc
--runtime-flag stringArray add global flags for the container runtime
--storage-driver string Select which storage driver is used to manage storage of images and containers (default is overlay)
--storage-opt stringArray Used to pass an option to the storage driver
--syslog Output logging information to syslog as well as the console (default false)
--tmpdir string Path to the tmp directory for libpod state content.
Note: use the environment variable 'TMPDIR' to change the temporary storage location for container images, '/var/tmp'.
--url string URL to access Podman service (CONTAINER_HOST) (default "unix:/run/podman/podman.sock")
-v, --version version for podman
