1. 概述
podman 官网
写这个博客的原因是在地铁上,看到一篇博客《Docker 大势已去,Podman 万岁》,就去了解了下 podman,Redhat 的亲儿子。毕竟拥抱开源,拥抱 k8s,pod 的概念也有。
很多人可能遇到过开机重启时,由于 Docker 守护程序在占用多核 CPU 使用 100%C 使用的情况,导致所有容器都无法启动,服务都不能用的情况。过利用 Docker 重构 WP 博客的新架构。由于 VPS 机器不是很稳定,时常会重启,重启时候就会遇到这个事情,VPS 负载很高,容器都没有起来,网站就无法访问了。这时候只能杀掉所有容器并重启守护进程,才能恢复。经过了解该问题是由于 Docker 守护进程引起,而且 Docker 守护进程是以 root 特权权限启动的,是一个安全问题,那么有什么方法解决呢?
为什么 Docker 需要一个守护进程呢?
Podman,Skopeo 和 Buildah
这三个工具都是符合 OCI 计划下的工具(github/containers)。主要是由 RedHat 推动的,他们配合可以完成 Docker 所有的功能,而且不需要守护程序或访问有 root 权限的组,更加安全可靠,是下一代容器容器工具
2. 准备环境
这边我购买了一台阿里云 2 核 8G 的 ECS,抢占式付费模式。抢占式付费模式,比按时付费便宜,这边设置下最高竞价 0.5 元每小时,可以保障机器的所有权。选择 aliyun linux,也就是 o 的一个系统,系统本身做了一些优化之类的。
下面这张图就比较有意思了,现在很少可以买到经典网络的 ECS 了,除非之前有经典网络的 ECS,否则默认都是专有网络。阿里云大概从 2016 年开始,就是按区域做网络迁移了,增强了网络隔离性。还提到设备更换,性能更好,这就不知道了。恰巧前几天,碰上了网络模式迁移这件事。有几点需要注意下的就是
1.RDS 网络模式改成专有网络,首先需要打开白名单高安全模式(经典网络和 VPC 隔离),如果之前有应用链接的时候,最好迁移的时候不保留经典网络,这样链接地址不会变,不然需要修改 RDS 链接地址。保留的会就需要打开混淆模式,经典网络和 VPC 打通访问,当然这个因应用而异,也许有更无感的迁移方式。
2.ECS 迁移,可以保留原内网地址,但是需要你建的 VPC 网络,包含之前内网的网段,待迁移完成之后,自行手动修改
等到所有的操作都点完之后,我们服务器环境就准备好啦
3. 安装 podman
3.1 更新操作系统
yum update -y
体验了一把速度还是很快的,一会会就更新完毕了
3.2 安装 podman
sudo yum -y install podman
已安装: podman.x86_64 0:1.4.4-2.1.al7 作为依赖被安装: PyYAML.x86_64 0:3.10-11.1.al7 atomic-registries.x86_64 1:1.22.1-26.gitb507039.1.al7 audit-libs-python.x86_64 0:2.8.5-4.1.al7 checkpolicy.x86_64 0:2.5-8.1.al7 container-selinux.noarch 2:2.107-1.1.al7 containernetworking-plugins.x86_64 0:0.8.1-1.1.al7 containers-common.x86_64 1:0.1.37-1.1.al7 criu.x86_64 0:3.12-2.1.al7 libcgroup.x86_64 0:0.41-21.1.al7 libnet.x86_64 0:1.1.6-7.1.al7 libsemanage-python.x86_64 0:2.5-14.1.al7 libyaml.x86_64 0:0.1.4-11.1.al7 policycoreutils-python.x86_64 0:2.5-33.1.al7 protobuf-c.x86_64 0:1.0.2-3.4.al7 python-IPy.noarch 0:0.75-6.1.al7 python-backports.x86_64 0:1.0-8.1.al7 python-backports-ssl_match_hostname.noarch 0:3.5.0.1-1.1.al7 python-ipaddress.noarch 0:1.0.16-2.4.al7 python-pytoml.noarch 0:0.1.14-1.git7dea353.1.al7 python-setuptools.noarch 0:0.9.8-7.1.al7 runc.x86_64 0:1.0.0-64.rc8.1.al7 setools-libs.x86_64 0:3.3.8-4.1.al7 完毕!
4. 探索 podman 命令
4.1 podman -h
可以大概看出了,和 docker 的命令几乎是一致的
manage pods and images Usage: podman [flags] podman [command] Available Commands: attach Attach to a running container build Build an image using instructions from Dockerfiles commit Create new image based on the changed container container Manage Containers cp Copy files/folders between a container and the local filesystem create Create but do not start a container diff Inspect changes on container's file systems events Show podman events exec Run a process in a running container export Export container's filesystem contents as a tar archive generate Generated structured data healthcheck Manage Healthcheck help Help about any command history Show history of a specified image image Manage images images List images in local storage import Import a tarball to create a filesystem image info Display podman system information init Initialize one or more containers inspect Display the configuration of a container or image kill Kill one or more running containers with a specific signal load Load an image from container archive login Login to a container registry logout Logout of a container registry logs Fetch the logs of a container mount Mount a working container's root filesystem pause Pause all the processes in one or more containers play Play a pod pod Manage pods port List port mappings or a specific mapping for the container ps List containers pull Pull an image from a registry push Push an image to a specified destination restart Restart one or more containers rm Remove one or more containers rmi Removes one or more images from local storage run Run a command in a new container save Save image to an archive search Search registry for image start Start one or more containers stats Display a live stream of container resource usage statistics stop Stop one or more containers system Manage podman tag Add an additional name to a local image top Display the running processes of a container umount Unmounts working container's root filesystem unpause Unpause the processes in one or more containers unshare Run a command in a modified user namespace version Display the Podman Version Information volume Manage volumes wait Block on one or more containers Flags: --cgroup-manager string Cgroup manager to use (cgroupfs or systemd) (default "systemd") --cni-config-dir string Path of the configuration directory for CNI networks --config string Path of a libpod config file detailing container server configuration options --conmon string Path of the conmon binary --cpu-profile string Path for the cpu profiling results --default-mounts-file string Path to default mounts file --help Help for podman --hooks-dir strings Set the OCI hooks directory path (may be set multiple times) --log-level string Log messages above specified level: debug, info, warn, error, fatal or panic (default "error") --namespace string Set the libpod namespace, used to create separate views of the containers and pods on the system --network-cmd-path string Path to the command for configuring the network --root string Path to the root directory in which data, including images, is stored --runroot string Path to the 'run directory' where all state information is stored --runtime string Path to the OCI-compatible binary used to run containers, default is /usr/bin/runc --storage-driver string Select which storage driver is used to manage storage of images and containers (default is overlay) --storage-opt stringArray Used to pass an option to the storage driver --syslog Output logging information to syslog as well as the console --tmpdir string Path to the tmp directory --trace Enable opentracing output --version Version for podman Use "podman [command] --help" for more information about a command.
4.2 常用命令
4.2.1 查看运行的容器
[root@podman ~]# podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4.2.2 查看 podman 信息
[root@podman ~]# podman info host: BuildahVersion: 1.9.0 Conmon: package: podman-1.4.4-2.1.al7.x86_64 path: /usr/libexec/podman/conmon version: 'conmon version 0.3.0, commit: unknown' ........
4.2.3 运行一个简单的容器
podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/var/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ httpd
这边我们发现网速有点慢啊,找个国内源试下
mv /etc/containers/registries.conf /etc/containers/registries.conf.bak touch /etc/containers/registries.conf cat > /etc/containers/registries.conf <<EOF unqualified-search-registries = ["docker.io"] [[registry]] prefix = "docker.io" location = "******.mirror.aliyuncs.com" EOF
再次运行启动容器命令,就很快了
[root@podman containers]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/var/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ httpd Trying to pull docker.io/library/httpd... Getting image source signatures Copying blob 000eee12ec04 done Copying blob 32b8712d1f38 done Copying blob 51c60bde4d46 done Copying blob f1ca037d6393 done Copying blob c4bd3401259f done Copying config 2ae34abc2e done Writing manifest to image destination Storing signatures
4.2.4 查看镜像和容器
[root@podman containers]# podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 845ff52751b4 docker.io/library/httpd:latest httpd-foreground 24 seconds ago Up 23 seconds ago 0.0.0.0:8080->8080/tcp eager_ganguly [root@podman containers]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/httpd latest 2ae34abc2ed0 7 days ago 170 MB
我们访问下页面试下
[root@podman containers]# curl -iL 127.0.0.1:8080 curl: (7) Failed connect to 127.0.0.1:8080; 拒绝连接 [root@podman containers]# netstat -ntpl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 6432/systemd-resolv tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 31319/conmon tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6361/sshd
What?访问被拒绝,那就查看容器日志吧
[root@podman containers]# podman logs -f 845ff52751b4 AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.3. Set the 'ServerName' directive globally to suppress this message AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.3. Set the 'ServerName' directive globally to suppress this message [Fri Dec 06 12:36:57.794386 2019] [mpm_event:notice] [pid 1:tid 140331807290496] AH00489: Apache/2.4.41 (Unix) configured -- resuming normal operations [Fri Dec 06 12:36:57.794512 2019] [core:notice] [pid 1:tid 140331807290496] AH00094: Command line: 'httpd -D FOREGROUND'
进入容器查看,可能是文件的问题 😅
[root@podman containers]# podman exec -it 845ff52751b4 /bin/bash root@845ff52751b4:/usr/local/apache2# ll
那就简单暴力点吧
podman run -d -p 80:80 httpd [root@podman containers]# curl 127.0.0.1 <html><body><h1>It works!</h1></body></html> [root@podman containers]#
这边可以看到容器启动并访问成功了
[root@podman containers]# podman inspect 84 | grep IPAddress\": "IPAddress": "10.88.0.3", [root@podman containers]# podman inspect -l | grep IPAddress\": "IPAddress": "10.88.0.4", [root@podman containers]# podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 82d6075767be docker.io/library/httpd:latest httpd-foreground 4 minutes ago Up 4 minutes ago 0.0.0.0:80->80/tcp nostalgic_hypatia 845ff52751b4 docker.io/library/httpd:latest httpd-foreground 20 minutes ago Up 20 minutes ago 0.0.0.0:8080->8080/tcp eager_ganguly
4.2.5 备份迁移
podman 会先把容器打包成一个 gz 包,然后可以到远程服务器上导入。不知道是镜像小还是什么原因,速度很快。感觉比 docker 导入导出快多啦,不知道是不是错觉。
[root@podman containers]# podman container checkpoint 82d6075767be -e /tmp/checkpoint.tar.gz 82d6075767beff34a168ca48e47c5155bcd714eac1a53054049fbb841535832e [root@podman containers]# ll /tmp/ 总用量 1040 srwxr-xr-x 1 root root 0 12月 6 19:51 Aegis-<Guid(5A2C30A2-A87D-490A-9281-6765EDAD7CBA)> -rw------- 1 root root 1058827 12月 6 21:01 checkpoint.tar.gz drwx------ 3 root root 4096 12月 6 20:10 systemd-private-1254221ee241484f88bf1a3a3b2fa29b-chronyd.service-i0zmSw [root@podman containers]# podman rm -f 82d6075767be 82d6075767beff34a168ca48e47c5155bcd714eac1a53054049fbb841535832e [root@podman containers]# podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 845ff52751b4 docker.io/library/httpd:latest httpd-foreground 25 minutes ago Up 25 minutes ago 0.0.0.0:8080->8080/tcp eager_ganguly [root@podman containers]# podman container restore -i /tmp/checkpoint.tar.gz 82d6075767beff34a168ca48e47c5155bcd714eac1a53054049fbb841535832e [root@podman containers]# curl 127.0.0.1 <html><body><h1>It works!</h1></body></html> [root@podman containers]#
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于